[LON-CAPA-admin] Heartbleed?

Tue Apr 15 08:25:53 EDT 2014

Paul,

According to the CentOS announce list:
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

openssl 1.0.1e-16.el6_5.7 released by CentOS on 4/8 includes the  
RedHat fix for the heartbleed bug in the openssl rpm originally  
included with CentOS 6.5.

See:
https://rhn.redhat.com/errata/RHSA-2014-0376.html
for details.

> Is there any plan to add 1.0.1g to the repository any time soon?

If you mean LON-CAPA's repository of RPMs for CentOS at:  
http://install.loncapa.org/centos/loncapa

then the answer would be no.

I typically only create RPMs in cases where the standard repositories  
provided by the Linux distro maintainers do not contain a particular  
package which LON-CAPA requires, or there is functionality in a more  
recent version of a package than the one provided by the distro which  
LON-CAPA requires.

In the case of security fixes the expectation is that the distro  
maintainers will patch their own RPMs, as was the case here with the  
patch to openssl 1.0.1e on 4/8.

The CentOS maintainers released openssl-1.0.1e-16.el6_5.4.0.1.centos  
as a preliminary patch on 4/8 at 02:11 UTC, and then released  
openssl-1.0.1e-16.el6_5.7 on 4/8 at 02:55 UTC once the upstream  
maintainers (RedHat) had made that available.

Note: the heartbleed bug did not affect CentOS 5 which has:  
openssl-0.9.8e-27.el5_10.1.

Stuart Raeburn
LON-CAPA Academic Consortium

Quoting "Neubauer, Paul" <pneubauer at bsu.edu>:

> Hello all,
>
> I see that the latest list of "RPMs to update" only includes
> openssl.x86_64                             1.0.1e-16.el6_5.7          
>      updates
>
> According to the openssl.org website, the Heartbleed bug affects   
> versions through 1.0.1f and the fixed version is 1.0.1g.
>
> Is there any plan to add 1.0.1g to the repository any time soon?   
> Alternatively, does anyone have a suggestion for a repository with   
> 1.0.1g?
>
> Thanks,
> Paul