← Back to context

Comment by ineedtosleep

12 years ago

A couple more data points:

I'm running Fedora 19 and Arch on my main dev machines/VMs and as of this posting are considered up-to-date. Both are vulnerable:

    [Fedora19] $ openssl version
    OpenSSL 1.0.1e-fips 11 Feb 2013

    [Arch] $ openssl version
    OpenSSL 1.0.1f 6 Jan 2014

16 comments

ineedtosleep

Reply
Hello71  12 years ago

It does take time for these things to be tested and deployed. Regardless of severity of bug, distributions must test packages before sending them out to all their users.

It would be unfortunate if a new package were to be released immediately only to be soon masked/recalled due to unforeseen consequences.

Of note, the Gentoo package was bumped approximately 2 hours after the advisory was published.

cheald  12 years ago

Yeah, I haven't seen any new RPMs for RHEL/CentOS/Fedora yet. Kinda concerning, since I'd expect vendors to be given advance notice and the chance to prep updates to coincide with the announcement.

All my RHEL5 boxes are running 0.9.8, though, at least.

sjs382  12 years ago

Likewise for Ubuntu 13.10: OpenSSL 1.0.1e 11 Feb 2013

And the current beta of 14.04: OpenSSL 1.0.1f 6 Jan 2014