OpenSSL Security issues

[stefan.paetow at diamond.ac.uk]

> Please don't do that, for the exact reasons you outlined.
> 
> Hardcoding a version number blacklist into the build environment just
> means everyone building against an enterprise distro will have to patch
> your changes out.
> 
> I realise it's a serious vulnerability, but "configure.in" of a project
> using the library is not the right place to address this.
> 
> You'd be better off adding a runtime check and refusing to start
> without "allow_unsafe_openssl" global set or similar, if you must. At
> least that way people can configure the server to start once they've
> patched.

Response from Fedora project was: 

"I took the approach of least resistance, which was to patch the bug. The OpenSSL maintainers have whatever reason they have to keeping OpenSSL at 1.0.1e and it wasn't my place to change that. It also happens to be the approach that RHEL took."

There we have it. Path of least bleating and most expediency. 

:-)

Stefan



-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom