|
|
|
|
|
|
by moe
5608 days ago
|
|
|
Interesting, I didn't know that. Seems like a flaw in the PCI requirements to me, do they really demand the "latest" version instead of the stable, time-tested one? It certainly can't be in the spirit of these audits to encourage people to move from Debian stable to a distro that's based on Debian unstable... |
|
|
That was easy, but then rebuilding other components which were linked to the original v. 0.9.x was a major PITA.
This is the problem, according to the auditor:
Vulnerability in OpenSSL 0.9.8g Severity: Critical Problem CVE: CVE2008-0891 CVE-2008-1672 CVE-2008-5077 CVE-2009-0590 CVE-2009-0789 CVE-20091377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-3245 CVE-2009-3555 CVE-2010-0433 CVE-2010-0740 Impact: A remote attacker could execute arbitrary commands , cause a buffer overflow, bypass security or create a denial of service. Resolution OpenSSL shouldbe [http://www.openssl.org/source/] upgraded to 1.0.0a or higher.
Those CVE ("Common Vulnerabilities and Exposures") items are explained in more detail at NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-089... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-137... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-074... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-043... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-324...