Is this enough reason to use OpenSSL version 0.9.7c instead of 0.9.7b for the 2.3.2 final windows installer, or should the release candidate remain unchanged?
http://www.openssl.org/news/secadv_20030930.txt
Thomas
Thomas> Is this enough reason to use OpenSSL version 0.9.7c instead of Thomas> 0.9.7b for the 2.3.2 final windows installer, or should the Thomas> release candidate remain unchanged?
Thomas> http://www.openssl.org/news/secadv_20030930.txt
At this point I'm inclined to let it go. There are many other vulnerable SS[LH targets out there, and you can't wait forever until the OpenSS[LH] folks stop emitting patches.
Skip
Thomas Heller wrote
Is this enough reason to use OpenSSL version 0.9.7c instead of 0.9.7b for the 2.3.2 final windows installer, or should the release candidate remain unchanged?
I'd say build with the patched libraries, but only if you can test them before then. OTOH, most of the advisory seems to be about server-side problems, and the inbuilt SSL stuff in python is client stuff.
go-not-to-australians-for-answers-for-they-will-answer-both-yes-and-no, Anthony
-
Anthony Baxter -
Skip Montanaro -
Thomas Heller