----- Original Message ----- > From: "Gert Doering" <g...@greenie.muc.de> > To: "David Sommerseth" <openvpn.l...@topphemmelig.net> > Cc: "Jan Just Keijser" <janj...@nikhef.nl>, > openvpn-devel@lists.sourceforge.net > Sent: Saturday, 12 July, 2014 11:41:30 AM > Subject: Re: [Openvpn-devel] [PATCH] Add topology in sample server > configuration file > > > In addition, EL5 is the oldest distro we support (after we convinced James > > to > > ditch EL4 when that went officially EOL; not counting the extended support > > some few customers may pay for). > > Any way to convince RH to pick up this security-relevant fix?
I haven't had time to check the changelog for openssl on EL5 (not close to /my/ computers). But it wouldn't surprise me if they have already fixed this. But as SSL_OP_NO_TICKET was introduced in a newer base release than EL5 uses, they have most likely solved it in another way. Maybe by always adding this flag implicit? (Which would have the benefit of not needing to recompile all OpenSSL applications with this flaw). IIRC, the guy overseeing the Secure Response Team in RH is Mark Cox, which again is also an upstream OpenSSL maintainer. So I'm quite sure all RH releases have fixed this issue. -- kind regards, David Sommerseth
