[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 21/08/13 23:40, Simon Waters wrote:
> The top of my list of crypto worries is RC4 because a lot of us went
> that way when BEAST arrived, and probably a lot of us (myself
> included) ought to be revisiting that. It is taking eternity for the
> free software world to get to TLS 1.2 or better (well for the big
> distros and browsers to switch to 1.0.1d or later of openssl,
> technically the software all already exists, it just needs to be
> aggregated into a working system for normal folk to use). Microsoft
> are there already.
Following up on this, I've been herding cats today (aka: keeping the
bleeding edge testing versions of VMs fully updated and functional for a
test run of our latest software builds) and purely out of curiosity
tried to remember to check the openssl version installed whilst I was at
it. Interestingly, the current openssl 1.0.1e was released back in
*February* and every single one of our test VMs was indeed running it.
Yet it seems that the current crop of "stable" distros mostly seem to
have stagnated at the 1.0.1c release, which has known issues.
This is one of the things that most annoys me about Ubuntu (others are
guilty, but I'm picking on Canonical here) is their arbitrary failure to
backport stuff properly - this 13.04 workstation also has 1.0.1c
installed (why for god's sake?) and if you google about for "Ubuntu
13.10 + samba 4" you'll just find lots of angry people castigating them
for officially declining to ever release samba4 for it:
ghost@failbot:~$ apt-cache policy samba | head -n3
samba:
Installed: 2:3.6.9-1ubuntu1
Candidate: 2:3.6.9-1ubuntu1
Samba 3.6! Why, Mark, why!? Samba 4 is mission critical for us so I'm
unfortunately rolling packages for it for the multiple stable distros we
target, and it's such a damn headache (Samba 4 is easy to use, and
properly hard to build and package properly).
Results below anyway, for those who might be interested.
Regards
Debian Sid:
ghost@panzerkunst:~$ apt-cache policy openssl | head -n3
openssl:
Installed: 1.0.1e-3
Candidate: 1.0.1e-3
Ubuntu 13.10:
ghost@pulsar:~$ apt-cache policy openssl | head -n3
openssl:
Installed: 1.0.1e-3ubuntu1
Candidate: 1.0.1e-3ubuntu1
Fedora Rawhide:
[ghost@debaser ~]$ rpm -qid openssl | head -n3
Name : openssl
Epoch : 1
Version : 1.0.1e
Arch Testing:
[ghost@architect ~]$ pacman -Qs openssl | head -n1
local/openssl 1.0.1.e-3
Slackware Current:
bash-4.2$ /usr/sbin/slackpkg info openssl | head -n2
PACKAGE NAME: openssl-1.0.1e-x86_64-1.txz
PACKAGE LOCATION: ./slackware64/n
Gentoo (w/ keyword ~amd64 in make.conf):
ghost@ricer:~$ eix -I openssl | grep Installed
Installed versions: 1.0.1e-r1(18:25:50 05/29/13)(sse2 zlib
-bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla)
RHEL7 Alpha:
Have an NDA on this, but it's surprisingly up to date
SUSE Factory:
Once again, so broken that it won't even survive the first "zypper dup"
(openSUSE-Factory-NET-Build6502-x86-64)
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq