[OmniOS-discuss] OmniOS OpenSSL 1.0.1g and CVE-2014-0160

Eric Sproul esproul at omniti.com
Tue Apr 8 15:15:49 UTC 2014


On Mon, Apr 7, 2014 at 9:51 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
> For r151008:
> pkg://omnios/library/security/openssl@1.0.1.7,5.11-0.151008:20140407T220403Z
>

FYI, I just re-spun the r151008 package to clear up an issue where the
unsigned manifest appeared in the repo catalog alongside the signed
version.  It's a quirk^Wfeature of how pkg(5) does signing that it
does not alter the version of the package, so effectively we had two
different hashes for the same "version" of the openssl manifest.  This
caused confusion for some pkg* tools and sub-commands but not others.
For instance, update/install was *not* affected, but pkgrecv(1) was.

The new spin is
pkg://omnios/library/security/openssl@1.0.1.7,5.11-0.151008:20140408T142844Z

Sorry for the inconvenience.  We've clarified our package signing
process to ensure this does not recur.

Eric


More information about the OmniOS-discuss mailing list