Getting most secure version of openssl on CentOS 5 via yum
 

Greetings,

I've recently migrated an unlicensed RHEL5 box to CentOS 5 in order to get the system patched, and yum is telling me that openssl 0.9.8e is the up-to-date version. But that version is over two years old. I know I can install the newest openssl by using the rpm and I also know how to install from the tarball, but I'm trying to avoid both methods because I prefer the automated dependency handling of yum.

My question is SHOULD I be expecting yum to see openssl 0.9.8q when I run 'yum update openssl'?

If so, I'll be happy to reinvestigate my configuration for problems. I'm currently just using the default CentOS repositories.

If it's a case where anything beyond 0.9.8e simply hasn't been included from upstream, and I need to install it manually, that's fine. I'm just trying to get a handle on my expectations. I've been pouring through google and forums and looking for documentation for weeks, but there's so much that it's definitely possible I've overlooked it. Any clarification or further reading the forum can suggest would be greatly appreciated.

Thanks!

Ps. If I've posted this to the wrong forum, I apologize.

New is NOT the most secure. Newer software means more recent changes to the code, which means more new opportunities for bugs and security issues. the RHEL (and therefore CentOS) policy is to standardise on versions of a package on a per distro basis - 0.9.8e in the case of openssl on rhel5, and then back port security updates from newer versions to their base package. run "rpm -qi --changelog openssl" to see what changes they have made to it over time. The most recent build only came out on the 15th of this December, and was for...

which you should probably go and read up on if you want to get a feel for why this "old" version is not insecure.

Thanks acid_kewpie... this is a tremendous help! Your post just made my last three weeks of confusion click. Many, many thanks.

You can probably see why it's good to keep the same base version of code. Adding, or even worse, removing, functionality, changing outward behaviour etc, can have horrible consequences in terms of integrating with the rest of the environment. Sometimes this is unavoidable, I remember some changes in openssh which changed a default setting from some point forward in el5 which caused me some issues, but in general it's best to live with any short comings and quirks, as once they are worked around, then that's that, and can stay worked around for the duration of that release, no more headaches.

Absolutely! This is exactly what I'm after. Understanding how this versioning works is a tremendous help. I'm sure I glossed over that in all of my reading. Thanks again for the help. I love open source!