Hello,

I recently converted to RH Linux 9.0 and am confused about patching.

For example, if I run a web server and have OpenSSL on my system and want to upgrade OpenSSL, I get the latest updates from RedHat using up2date. After running up2date my OpenSSL shows as version 0.9.7a-33.12, however Openssl.org shows that the latest secure version of Openssl is 0.9.7d.

I know RedHat does their own weird update names so that 0.9.7a-33.12 is SUPPOSED to be the same as the open source 0.9.7d. But how can I tell? If openssl.org claims that anything below 0.9.7d is vulnerable, and RedHat says 0.9.7a-33.12 is the latest and greatest version, how do I know 0.9.7a-33.12 contains the security fixes in 0.9.7d? I'm trying to find out an easy way here, because this issue apparently applies to other software as well and I don't know if I can just take RedHat's word for it that all security fixes are in their updates.

Thanks

Basically it's that there's frequently a difference in the focus of release depending on where it comes from. Redhat will focus largely on stability and security, and while of course a package like openSSL is implictly about security, they will be introducing new features etc... So Redhat will take a step back and sepnd time a a particular release they like, and work on it until *they* think it's stable enough for their type of customer, which more and more recently is mid to high end businesses. So they'll back port exploit fixes and other individually submitted patches that they approve of, but there will be parts in the newer official releases that they can't test as much, and so will wait for it to mature before taking that release on board.

mind you... Redhat releases and still very much open source...