Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well, their solution was to build OpenSSL 1.0.0 (which is stable) from source.

That was easy, but then rebuilding other components which were linked to the original v. 0.9.x was a major PITA.

This is the problem, according to the auditor:

Vulnerability in OpenSSL 0.9.8g Severity: Critical Problem CVE: CVE2008-0891 CVE-2008-1672 CVE-2008-5077 CVE-2009-0590 CVE-2009-0789 CVE-20091377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-3245 CVE-2009-3555 CVE-2010-0433 CVE-2010-0740 Impact: A remote attacker could execute arbitrary commands , cause a buffer overflow, bypass security or create a denial of service. Resolution OpenSSL shouldbe [http://www.openssl.org/source/] upgraded to 1.0.0a or higher.

Those CVE ("Common Vulnerabilities and Exposures") items are explained in more detail at NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-089... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-137... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-074... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-043... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-324...



Well, this ignores the reality of how most linux distributions are maintained.

Version numbers are not supposed to change after the fact in a stable-release, hence security fixes get backported (every distro has a security-team for this).

If PCI requires a less tested newer version over a battle-scarred (patched up) older one then PCI is working against its own stated goal.

It doesn't take much wisdom to realize that it's less likely for new bugs to crop up in the 0.9.8 openssl that Debian ships than in the 1.0.0c that RHEL6 bundles (just one month after release!).

New software has bugs. Old software has less bugs.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: