On Jan 28, 2010, at 9:15 PM, P. Larry Nelson wrote: > Hi Troy, > > Troy Dawson wrote on 1/28/2010 1:55 PM: >> P. Larry Nelson wrote: >>> Hi, >>> >>> I just received a "HIGH criticality" email from >>> [email protected] stating: >>> >>> "Do NOT upgrade to OpenSSL 1.x. The new OpenSSL version breaks the >>> certificate authentication for OSG/VDT." >>> >>> Not having my ear to the ground vis-a-vis openssl, does anyone know if >>> that version is due to be released soon? Will it come from TUV or >>> directly from openssl.org? (Troy/Connie question) >>> >>> Right now, we have openssl-0.9.8e-12.el5_4.1. >>> >>> I suppose the thing to do is to go and edit the yum.cron.excludes on >>> all our OSG nodes to block openssl* until this issue is fixed. [sigh...] >>> >>> - Larry >>> >> >> Scientific Linux, and RHEL are enterprise linux distributions. >> This means that they do *not* just update to the latest versions of >> packages. RedHat and SL will *not* just update to the latest version of >> openssl, just because it was released. >> >> SL 4.0 had openssl 0.9.7a >> SL 4.8 has openssl 0.9.7a >> >> Thas is after five years, we still have the same version of openssl. >> RedHat backports all the security fixes into the 0.9.7a version for >> RHEL4 (and hense SL4). >> >> SL 5.0 had openssl 0.9.8b >> SL 5.4 has openssl 0.9.8e
Even SL6 won't have openssl 1. It was only added after FC12 that SL6 will eventually be based on. Steve >> >> After 3 years, SL5 is still at version 0.9.8, although we have moved >> from b to e. >> I cannot say for 100% certain, because we are not RedHat. But according >> to all their policies, goals, statements and past history, they are not >> going to move openssl above version 0.9.8 for RHEL 5 (and hense SL5) >> >> Troy > > Thanks for the info and history lesson. I didn't know and didn't want > to assume. As far as I knew, openssl 1.x might have been a big hairy > deal security fix that was imminent. > > - Larry > > -- > P. Larry Nelson (217-244-9855) | Systems/Network Administrator > 461 Loomis Lab | High Energy Physics Group > 1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill. > MailTo:[email protected] | http://www.roadkill.com/lnelson/ > ------------------------------------------------------------------- > "Information without accountability is just noise." - P.L. Nelson
