[TriLUG] openssl bug

[Greg Brown]

Some time ago, Jon burst forth this utterance:

Okay folks, check your Apache webservers running mod_ssl and make sure
they up-to-date (version greater than 0.9.6d).  There's a new bug in
town and it breaks into Apache via a vulnerability in mod_ssl.

Jon


I have a question.  When I read this I just shut down my web server as 
I didn't have time to patch it (still working the 80+ work weeks).  
Anyway, here's the history:

I was running openssl-0.9.6.3.

I downloaded the latest RPM from Red Hat for my distro (7.1) which was 
the following file:

openssl-0.9.6-13.i386.rpm

rpm -U --test openssl-0.9.6-13.i386.rpm showed no errors so I upgraded

Now my rpm -qa | grep ssl shows:

openssl-0.9.6-13

Looking into more detail about the version (rpm -qi this time) I see 
the following:

Name        : openssl                      Relocations: (not 
relocateable)
Version     : 0.9.6                             Vendor: Red Hat, Inc.
Release     : 13                            Build Date: Thu 01 Aug 2002 
02:57:06

Looking at the release date I'd say that it's fairly impossible that 
this is going to fix any bugs discovered after August, 01, 2002.  
Correct?

So my website is still down (not a big deal, really) but I would like 
to get it back up and running sometime..

What is the process that Red Hat uses to update the RPMs at 
ftp://updates.redhat.com?  When a bug is discovered how long does it 
take for an updated RPM to appear or am I expected to download the 
source and compile it myself.  Not a big deal really, and maybe I'm 
missing something as I've been awake for too long but am I wrong in 
assuming that I'm still at risk with this bug?  And how long until I 
can expect an updated rpm from Red Hat?

And does anyone have a URL which details the process of how bugs are 
fixed and added to RPMs?

Thanks!

Greg