Comment by mstrem
12 years ago
From the CloudFlare blog: "This bug fix is a successful example of what is called responsible disclosure".
I just discovered this now and
yum info openssl
Yields 1.0.1e as available package which is vulnerable. I guess not all "stakeholders" have been warned properly - or am I jumping to conclusions?
Apparently Red Hat, Debian, and Ubuntu weren't (from what I gather from reading mailing list posts) -- no idea who else.
That's not responsible at all, IMO. Whoever was in charge of this (NCSC-FI?) isn't very good at coordinating.
https://access.redhat.com/security/cve/CVE-2014-0160
https://bugzilla.redhat.com/show_bug.cgi?id=1084875
https://rhn.redhat.com/errata/RHSA-2014-0376.html
Note that distributions usually don't change the library version, they just apply the fix. Look for distribution-specific sub-version.