[Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)
Drew Parsons
dparsons at debian.org
Thu May 15 01:43:25 UTC 2008
Package: openssl
Version: 0.9.8g-10
Severity: critical
Tags: security
The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to
upgrade both openssl and libssl0.9.8.
However openssl (0.9.8g-10) only declares the dependency
libssl0.9.8 (>= 0.9.8f-5)
This means it is possible for some users to have upgraded openssl to
protect against the vulnerability, while not realising they have left
libssl0.9.8 at a vulnerable version. They could mistakenly believe
they are protected, when they are not.
I think it would be safer for openssl to explicitly declare a
dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes
place consistently.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.25
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8g-8 SSL shared libraries
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
openssl recommends no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list