Hi Doug,
Doug Olson wrote on 1/28/2010 1:48 PM:
Hi Larry,
I am on the OSG security team. The message also stated
that no action is required at this point.
The email I got did not say that. It did say: "We have proposals to fix
this issue and you will be notified when we become compatible with OpenSSL."
So it was not clear that we did not need to take action at this point.
If you block openssl updates you might miss important updates
before the v1.x comes out.
It should be that updated OSG software that can handle openssl 1.x will
be out before openssl v1.x comes through the OS distribution channels.
Doug
Thanks for the clarification. Maybe a followup email to
[email protected]
with that explanation might put some nerves at ease. :-)
- Larry
On 1/28/2010 11:25 AM, P. Larry Nelson wrote:
Hi,
I just received a "HIGH criticality" email from
[email protected] stating:
"Do NOT upgrade to OpenSSL 1.x. The new OpenSSL version breaks the
certificate authentication for OSG/VDT."
Not having my ear to the ground vis-a-vis openssl, does anyone know if
that version is due to be released soon? Will it come from TUV or
directly from openssl.org? (Troy/Connie question)
Right now, we have openssl-0.9.8e-12.el5_4.1.
I suppose the thing to do is to go and edit the yum.cron.excludes on
all our OSG nodes to block openssl* until this issue is fixed. [sigh...]
- Larry
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[email protected] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
