On Tue, Apr 8, 2014 at 5:02 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 8 Apr 2014, at 10:35, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
On 08/04/14 01:11, stefan.paetow@diamond.ac.uk wrote:
I'm back in the office tomorrow and will check the CentOS updates
Seems that CentOS 5 is not affected, but CentOS 6 is. An patched update has been released for for RHEL 6 and will presumably make its way into CentOS before too long...
Question to representatives of various distributions on the lists.
As instead of fix the issues correctly by upgrading to 1.0.1g, you are patching existing versions of libssl, how can we determine whether a version of libssl is vulnerable or not at configure time?
As it stands the next versions on all branches will refuse to build against libssl 1.0.1-1.0.1f because of the potential security risk.
In the past with clamav (the opensource antivirus), when faced with possible security risk in certain zlib versions, they refused to build by default when detecting unsafe versions, but added --disable-zlib-vcheck in configure script to allow manual override. IMHO it's a good workaround. -- Fajar