RedHat patches vs open source patches
I recently converted to RH Linux 9.0 and am confused about patching.
For example, if I run a web server and have OpenSSL on my system and want to upgrade OpenSSL, I get the latest updates from RedHat using up2date. After running up2date my OpenSSL shows as version 0.9.7a-33.12, however Openssl.org shows that the latest secure version of Openssl is 0.9.7d.
I know RedHat does their own weird update names so that 0.9.7a-33.12 is SUPPOSED to be the same as the open source 0.9.7d. But how can I tell? If openssl.org claims that anything below 0.9.7d is vulnerable, and RedHat says 0.9.7a-33.12 is the latest and greatest version, how do I know 0.9.7a-33.12 contains the security fixes in 0.9.7d? I'm trying to find out an easy way here, because this issue apparently applies to other software as well and I don't know if I can just take RedHat's word for it that all security fixes are in their updates.