Amos Shapira wrote:
The correct package version is libssl0.9.8-4etch3 . That's where the
PRNG code resides.
$ dpkg -l libssl0.9.8
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libssl0.9.8 0.9.8e-5 SSL shared libraries
$ apt-cache policy libssl0.9.8
libssl0.9.8:
Installed: 0.9.8e-5
Candidate: 0.9.8e-5
Version table:
*** 0.9.8e-5 0
100 /var/lib/dpkg/status
0.9.8c-4etch3 0
990 http://mirror.optus.net.au etch/updates/main Packages
990 http://security.debian.org etch/updates/main Packages
0.9.8c-4etch1 0
990 http://ftp.au.debian.org etch/main Packages
Is 0.9.8e-5 considered later than 0.9.8-4etch3?
Of course it is. That's why "etch3" was there to begin with.
According to http://packages.debian.org/etch/i386/libssl0.9.8, etch3 is
the correct version to use. Where did the "-5" version come from? It
seems you have a source in your apt sources that is negligent with its
versioning policy, to the point of breaking the security of your system.
If it followed the Debian policy regarding this, this should never have
happened.
"aptitude" lists the currently installed version and the other two
(-4etch1 and -4ethc3) as available, but it doesn't mark this package
as "upgradeable".
That's because -5 is considered more recent than -4etch3. That's okay.
The only question is where did the -5 come from to begin with.
I forced aptitude to pick the version you gave, it reported that it'll
downgrade some LDAP packages, which I accepted. Now the
changelog.Debian.gz has latest entry dated May 8th, 2008.
I would suspect those LDAP packages as the source of the problem. Where
did they come from?
After installation aptitude reported "security updates" to the
downgraded LDAP packages but otherwise was happy (doesn't mention the
package version I downgraded from).
I also commented out backports for good measure even though "apt-cache
policy" didn't mention it.
First, stop working with apt-get. Only work with aptitude.
If you now ask to dist-upgrade your system (uppercase U in aptitude),
what does aptitude say its going to do about libssl? After you
"downgraded" openssl, does the -5 version still appear?
I'd just like to clarify the dist-upgrade point you made above - I
didn't have to do it at all, are you sure this is correct?
Tzafrir's point is 100% valid if you are using apt-get. Under aptitude
it's a whole different ball game (and aptitude actually makes better
decisions than apt-get, so that's, again, ok).
Read the apt-get manual and you'll see that apt-get upgrade is, indeed,
what Tzafrir claimed it is. For really large scale upgrades (such as
between distribution versions), it is actually not recommended to use
apt-get dist-upgrade. For that, either "apt-get dselect-upgrade" is
recommended, or use dselect (ouch) or aptitude in order to do the actual
upgrade. Aptitude is recommended by me, as it shows you what will break
prior to taking any action.
Like I said, in aptitude, pressing "u" (lowercase) is like running
apt-get update, and pressing "U" (uppercase) is somewhat like running
apt-get dselect-upgrade.
--Amos
Shachar
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
