LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-29-2011, 11:30 AM   #1
tireswinger
LQ Newbie
 
Registered: May 2007
Location: Kansas, USA
Distribution: rhel
Posts: 4

Rep: Reputation: 0
Getting most secure version of openssl on CentOS 5 via yum


Greetings,

I've recently migrated an unlicensed RHEL5 box to CentOS 5 in order to get the system patched, and yum is telling me that openssl 0.9.8e is the up-to-date version. But that version is over two years old. I know I can install the newest openssl by using the rpm and I also know how to install from the tarball, but I'm trying to avoid both methods because I prefer the automated dependency handling of yum.

My question is SHOULD I be expecting yum to see openssl 0.9.8q when I run 'yum update openssl'?

If so, I'll be happy to reinvestigate my configuration for problems. I'm currently just using the default CentOS repositories.

If it's a case where anything beyond 0.9.8e simply hasn't been included from upstream, and I need to install it manually, that's fine. I'm just trying to get a handle on my expectations. I've been pouring through google and forums and looking for documentation for weeks, but there's so much that it's definitely possible I've overlooked it. Any clarification or further reading the forum can suggest would be greatly appreciated.

Thanks!

Ps. If I've posted this to the wrong forum, I apologize.
 
Old 01-29-2011, 12:06 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
New is NOT the most secure. Newer software means more recent changes to the code, which means more new opportunities for bugs and security issues. the RHEL (and therefore CentOS) policy is to standardise on versions of a package on a per distro basis - 0.9.8e in the case of openssl on rhel5, and then back port security updates from newer versions to their base package. run "rpm -qi --changelog openssl" to see what changes they have made to it over time. The most recent build only came out on the 15th of this December, and was for...

Quote:
* Tue Dec 07 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.7
- fix CVE-2010-4180 - completely disable code for
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)
which you should probably go and read up on if you want to get a feel for why this "old" version is not insecure.

Last edited by acid_kewpie; 01-29-2011 at 12:13 PM.
 
1 members found this post helpful.
Old 01-29-2011, 12:15 PM   #3
tireswinger
LQ Newbie
 
Registered: May 2007
Location: Kansas, USA
Distribution: rhel
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks acid_kewpie... this is a tremendous help! Your post just made my last three weeks of confusion click. Many, many thanks.
 
Old 01-29-2011, 01:03 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
You can probably see why it's good to keep the same base version of code. Adding, or even worse, removing, functionality, changing outward behaviour etc, can have horrible consequences in terms of integrating with the rest of the environment. Sometimes this is unavoidable, I remember some changes in openssh which changed a default setting from some point forward in el5 which caused me some issues, but in general it's best to live with any short comings and quirks, as once they are worked around, then that's that, and can stay worked around for the duration of that release, no more headaches.
 
Old 01-29-2011, 01:39 PM   #5
tireswinger
LQ Newbie
 
Registered: May 2007
Location: Kansas, USA
Distribution: rhel
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
You can probably see why it's good to keep the same base version of code. Adding, or even worse, removing, functionality, changing outward behaviour etc, can have horrible consequences in terms of integrating with the rest of the environment. Sometimes this is unavoidable, I remember some changes in openssh which changed a default setting from some point forward in el5 which caused me some issues, but in general it's best to live with any short comings and quirks, as once they are worked around, then that's that, and can stay worked around for the duration of that release, no more headaches.
Absolutely! This is exactly what I'm after. Understanding how this versioning works is a tremendous help. I'm sure I glossed over that in all of my reading. Thanks again for the help. I love open source!
 
  


Reply

Tags
centos5, openssl, yum


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I upgrade to latest version of J2RE using YUM on CentOS 4.4? Dmjmusser Linux - Server 1 02-08-2007 02:06 PM
LDAP Secure/OpenSSL Cottsay Linux - Software 0 01-07-2007 02:25 PM
LXer: Secure Programming with the OpenSSL LXer Syndicated Linux News 0 09-29-2006 10:33 PM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 07:19 AM
making openvpn secure with openssl ( ? ) antken Linux - Networking 1 03-31-2004 10:14 AM


All times are GMT -5. The time now is 02:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration