LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Getting most secure version of openssl on CentOS 5 via yum (http://www.linuxquestions.org/questions/linux-software-2/getting-most-secure-version-of-openssl-on-centos-5-via-yum-859423/)

tireswinger 01-29-2011 11:30 AM

Getting most secure version of openssl on CentOS 5 via yum
 
Greetings,

I've recently migrated an unlicensed RHEL5 box to CentOS 5 in order to get the system patched, and yum is telling me that openssl 0.9.8e is the up-to-date version. But that version is over two years old. I know I can install the newest openssl by using the rpm and I also know how to install from the tarball, but I'm trying to avoid both methods because I prefer the automated dependency handling of yum.

My question is SHOULD I be expecting yum to see openssl 0.9.8q when I run 'yum update openssl'?

If so, I'll be happy to reinvestigate my configuration for problems. I'm currently just using the default CentOS repositories.

If it's a case where anything beyond 0.9.8e simply hasn't been included from upstream, and I need to install it manually, that's fine. I'm just trying to get a handle on my expectations. I've been pouring through google and forums and looking for documentation for weeks, but there's so much that it's definitely possible I've overlooked it. Any clarification or further reading the forum can suggest would be greatly appreciated.

Thanks!

Ps. If I've posted this to the wrong forum, I apologize.

acid_kewpie 01-29-2011 12:06 PM

New is NOT the most secure. Newer software means more recent changes to the code, which means more new opportunities for bugs and security issues. the RHEL (and therefore CentOS) policy is to standardise on versions of a package on a per distro basis - 0.9.8e in the case of openssl on rhel5, and then back port security updates from newer versions to their base package. run "rpm -qi --changelog openssl" to see what changes they have made to it over time. The most recent build only came out on the 15th of this December, and was for...

Quote:

* Tue Dec 07 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.7
- fix CVE-2010-4180 - completely disable code for
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)
which you should probably go and read up on if you want to get a feel for why this "old" version is not insecure.

tireswinger 01-29-2011 12:15 PM

Thanks acid_kewpie... this is a tremendous help! Your post just made my last three weeks of confusion click. Many, many thanks.

acid_kewpie 01-29-2011 01:03 PM

You can probably see why it's good to keep the same base version of code. Adding, or even worse, removing, functionality, changing outward behaviour etc, can have horrible consequences in terms of integrating with the rest of the environment. Sometimes this is unavoidable, I remember some changes in openssh which changed a default setting from some point forward in el5 which caused me some issues, but in general it's best to live with any short comings and quirks, as once they are worked around, then that's that, and can stay worked around for the duration of that release, no more headaches.

tireswinger 01-29-2011 01:39 PM

Quote:

Originally Posted by acid_kewpie (Post 4241643)
You can probably see why it's good to keep the same base version of code. Adding, or even worse, removing, functionality, changing outward behaviour etc, can have horrible consequences in terms of integrating with the rest of the environment. Sometimes this is unavoidable, I remember some changes in openssh which changed a default setting from some point forward in el5 which caused me some issues, but in general it's best to live with any short comings and quirks, as once they are worked around, then that's that, and can stay worked around for the duration of that release, no more headaches.

Absolutely! This is exactly what I'm after. Understanding how this versioning works is a tremendous help. I'm sure I glossed over that in all of my reading. Thanks again for the help. I love open source!


All times are GMT -5. The time now is 12:40 AM.