tags 481284 wishlist quit On Thu, May 15, 2008 at 11:43:25AM +1000, Drew Parsons wrote: > Package: openssl > Version: 0.9.8g-10 > Severity: critical > Tags: security
> The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to > upgrade both openssl and libssl0.9.8. > However openssl (0.9.8g-10) only declares the dependency > libssl0.9.8 (>= 0.9.8f-5) > This means it is possible for some users to have upgraded openssl to > protect against the vulnerability, while not realising they have left > libssl0.9.8 at a vulnerable version. They could mistakenly believe > they are protected, when they are not. > I think it would be safer for openssl to explicitly declare a > dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes > place consistently. Which is not how security updates for libraries have ever been done before, nor is it likely that security updates will be done this way in the future. Lowering the grossly overinflated severity. There is nothing release-critical here. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
