On Mon, Jun 02, 2008 at 07:24:30AM +0300, Shachar Shemesh wrote: > Amos Shapira wrote: > > > >> > >>The correct package version is libssl0.9.8-4etch3 . That's where the > >>PRNG code resides. > >> > > > >$ dpkg -l libssl0.9.8 > >Desired=Unknown/Install/Remove/Purge/Hold > >| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > >|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: > >uppercase=bad) > >||/ Name Version Description > >+++-==============-==============-============================================ > >ii libssl0.9.8 0.9.8e-5 SSL shared libraries > >$ apt-cache policy libssl0.9.8 > >libssl0.9.8: > > Installed: 0.9.8e-5 > > Candidate: 0.9.8e-5 > > Version table: > > *** 0.9.8e-5 0 > > 100 /var/lib/dpkg/status > > 0.9.8c-4etch3 0 > > 990 http://mirror.optus.net.au etch/updates/main Packages > > 990 http://security.debian.org etch/updates/main Packages > > 0.9.8c-4etch1 0 > > 990 http://ftp.au.debian.org etch/main Packages > > > >Is 0.9.8e-5 considered later than 0.9.8-4etch3? > > > Of course it is. That's why "etch3" was there to begin with. > > According to http://packages.debian.org/etch/i386/libssl0.9.8, etch3 is > the correct version to use. Where did the "-5" version come from? It > seems you have a source in your apt sources that is negligent with its > versioning policy, to the point of breaking the security of your system. > If it followed the Debian policy regarding this, this should never have > happened. > >"aptitude" lists the currently installed version and the other two > >(-4etch1 and -4ethc3) as available, but it doesn't mark this package > >as "upgradeable". > > > That's because -5 is considered more recent than -4etch3. That's okay. > The only question is where did the -5 come from to begin with. > > > >I forced aptitude to pick the version you gave, it reported that it'll > >downgrade some LDAP packages, which I accepted. Now the > >changelog.Debian.gz has latest entry dated May 8th, 2008. > > > > > I would suspect those LDAP packages as the source of the problem. Where > did they come from? > >After installation aptitude reported "security updates" to the > >downgraded LDAP packages but otherwise was happy (doesn't mention the > >package version I downgraded from). > > > >I also commented out backports for good measure even though "apt-cache > >policy" didn't mention it. > > > First, stop working with apt-get. Only work with aptitude. > > If you now ask to dist-upgrade your system (uppercase U in aptitude), > what does aptitude say its going to do about libssl? After you > "downgraded" openssl, does the -5 version still appear? > >I'd just like to clarify the dist-upgrade point you made above - I > >didn't have to do it at all, are you sure this is correct? > > > > > Tzafrir's point is 100% valid if you are using apt-get. Under aptitude > it's a whole different ball game (and aptitude actually makes better > decisions than apt-get, so that's, again, ok). > > Read the apt-get manual and you'll see that apt-get upgrade is, indeed, > what Tzafrir claimed it is. For really large scale upgrades (such as > between distribution versions), it is actually not recommended to use > apt-get dist-upgrade. For that, either "apt-get dselect-upgrade" is > recommended, or use dselect (ouch) or aptitude in order to do the actual > upgrade. Aptitude is recommended by me, as it shows you what will break > prior to taking any action.
Actually an 'aptitude upgrade' kept the ssh packages were "held back" and I had to use dist-upgrade. > > Like I said, in aptitude, pressing "u" (lowercase) is like running > apt-get update, and pressing "U" (uppercase) is somewhat like running > apt-get dselect-upgrade. > >--Amos > > > Shachar > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > -- Tzafrir Cohen | [EMAIL PROTECTED] | VIM is http://tzafrir.org.il | | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849754 | | friend ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
