Never had to before, but our audit also found the openssl version needed an update. This was a simply binary install, so a yum update openssl* did update to the newest openssl-0.9.8a-5.4, but the audit did show the following as the resulution;

Upgrade to OpenSSL 0.9.7k or 0.9.8c or newer. A source code patch
is also available for those who cannot upgrade to a newer version. The
link to the patch is below.
Patches: http://www.openssl.org/news/patch-CVE-2006-4339.txt

I am not sure if I can in fact patch the rpm version with that text file, if so, great, how?

Thanks!

Well, patching usually occurs on the source code, not the RPM itself. The easier approach would be to install the SRC RPM for your existing install of openssl, patch the sources and then rebuild. Or you could download the source, strip of it's spec file to build from and rebuild with the 0.9.7k or 0.9.8c sources instead of 0.9.8a-5.4.

What distribution is this?

OS is Fedora 5. This box is a development server running svn which upon commit updates 6 live clustered webservers so I need to make this change / update easy, so I can (trying to remember all my sysadmin 101 stuff), do an rpm -e on the packages (which I will most likely get some dependency error with my luck.)

The download the src.rpm and go that route, but not sure if (and how) you patch with that text file, then intsall.

Thanks again for the reply, I read these forums to keep learning and your name get's around more than my 1st girlfriend! so thanks for really helping out with so many people's questions.

The source RPM should include the tarball of openssl. Once rebuilt, you probably don't have to remove the package per se but rather just force a reinstall or update.

Is this a 64bit setup by chance? I only see openssl-0.9.8a-5.2 for i386 arch and the openssl-0.9.8a-5.4 in the x86_64 for Fedora Core 5.

Edit: Nevermind, found the i686 and i386 version.

Well I found the Source RPM from http://mirror.fraunhofer.de/download...dates/5/SRPMS/ and installed it, seems this RPM was built with the patch you mentioned:

Maybe the version you have installed didn't include it but if you download it from http://mirror.fraunhofer.de/download...86_64/?C=M;O=A you'll notice that it has the x86_64, i386 and i686 arch RPM's available. I checked the openssl.spec file as well to make sure it included this patch, which it does.

This might solve the issue, get you your patch without having to rebuild. If not, the steps to patch shouldn't be too hard.

now I am puzzled. I did look at the download from the 1st link, and pulled down the file;
Sep 28 2006 openssl-0.9.8a-5.4.src.rpm,did an rpmbuild --rebuild file

After 5 or so, it wrote the following;
pwd
/usr/src/redhat/RPMS/x86_64
[root@cs0 x86_64]# ls
openssl-0.9.8a-5.4.x86_64.rpm openssl-devel-0.9.8a-5.4.x86_64.rpm
openssl-debuginfo-0.9.8a-5.4.x86_64.rpm openssl-perl-0.9.8a-5.4.x86_64.rpm

nothing in the SOURCES directory, I did rpm -Uvh --force the update which worked, but w/o issuing a re-scan I won't know, but I am sure there is another way to see if it's patched, don't think the 'a' version is. Man I thought I remembered some of this stuff, I'm getting old!

I'd say do the rescan. Not sure how to check without cracking open the RPM to verify. What program is doing this "audit" and how is it checking? If it still complains and this source RPM included this patch, I'd say the audit is faulty.

We have trustkeeper.net do the scans, I am going to push that new rpm to the webservers, and re-scan tonight and we shall see what happens and post back tomorrow.

Thanks for everything.