[Pkg-openssl-devel] Bug#481284: [Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)
Steve Langasek
vorlon at debian.org
Thu May 15 05:30:25 UTC 2008
tags 481284 wishlist
quit
On Thu, May 15, 2008 at 11:43:25AM +1000, Drew Parsons wrote:
> Package: openssl
> Version: 0.9.8g-10
> Severity: critical
> Tags: security
> The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to
> upgrade both openssl and libssl0.9.8.
> However openssl (0.9.8g-10) only declares the dependency
> libssl0.9.8 (>= 0.9.8f-5)
> This means it is possible for some users to have upgraded openssl to
> protect against the vulnerability, while not realising they have left
> libssl0.9.8 at a vulnerable version. They could mistakenly believe
> they are protected, when they are not.
> I think it would be safer for openssl to explicitly declare a
> dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes
> place consistently.
Which is not how security updates for libraries have ever been done before,
nor is it likely that security updates will be done this way in the future.
Lowering the grossly overinflated severity. There is nothing
release-critical here.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-openssl-devel
mailing list