OpenSSL Security issues

Fajar A. Nugraha list at fajar.net
Tue Apr 8 13:21:46 CEST 2014


On Tue, Apr 8, 2014 at 5:02 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> On 8 Apr 2014, at 10:35, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk>
> wrote:
>
> > On 08/04/14 01:11, stefan.paetow at diamond.ac.uk wrote:
> >> I'm back in the office tomorrow and will check the CentOS updates
> >
> > Seems that CentOS 5 is not affected, but CentOS 6 is. An patched update
> has been released for for RHEL 6 and will presumably make its way into
> CentOS before too long...
> >
> > https://rhn.redhat.com/errata/RHSA-2014-0376.html
>
> Question to representatives of various distributions on the lists.
>
> As instead of fix the issues correctly by upgrading to 1.0.1g, you
> are patching existing versions of libssl, how can we determine whether
> a version of libssl is vulnerable or not at configure time?
>
> As it stands the next versions on all branches will refuse to build
> against libssl 1.0.1-1.0.1f because of the potential security risk.
>
>

In the past with clamav (the opensource antivirus), when faced with
possible security risk in certain zlib versions, they refused to build by
default when detecting unsafe versions, but added --disable-zlib-vcheck in
configure script to allow manual override. IMHO it's a good workaround.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140408/259e7c95/attachment.html>


More information about the Freeradius-Users mailing list