On Jul 11, 2011, at 1:23 PM, Dennis Kibbe wrote:

> On Sun, 2011-07-10 at 12:00 -0400, R P Herrold wrote:
>> On Sun, 10 Jul 2011, Lisa Kachold wrote:
>> 
>>> Thanks - I am especially interested in see the SSL updated.  Currently the
>>> "stable" SSL available from the repo for CentOs 5 is exploitable.
>> 
>> There are are no publicly known SSL issues in the openssl 
>> maintained by CentOS
>> 
>> Please state the CVE, or if a private zero day, Lisa, please 
>> state the vector so I may set up a unit running the allegedly 
>> vulnerable service or services [ie over http, smtp. pop, 
>> whatever] for you to demonstrate this assertion
>> 
>> -- Russ herrold
> 
> One thing that people might not realize is that Red Hat back ports
> security fixes so you can't just look at the version number and assume
> that if it's not the latest it's flawed.

That definitely tripped me up when I first logged into a RH machine and the SSL version was years out of date (according to the SSL version number).  After a little more digging I realized that RH was delivering patches.

alex
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss