The fact that you have /usr/local/openssl-0.9.6b directory suggests that you compiled the thing from source. Grab 0.9.6e, build and install it. Since it was not installed from rpm, there is no way to find which programs may use it other than recall which ones you compiled yourself. Check if any of them are statically linked against openssl, and rebuild. Just for case, check if you installed openssl from rpm, run this command: rpm -qa|grep openssl If the only thing you see is "apache-openssl-1.3.20-RaQ4_1C3" then you did not. If you see something like this: openssl-perl-0.9.6b-XX openssl-0.9.6b-XX openssl-devel-0.9.6b-XX then you did. It is my undestanding that the vulnerability was fixed in the version with 'XX' = '24'. Grab and install appropriate rpms. Eugene