[Pkg-openssl-devel] Bug#481284: [Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)

Steve Langasek vorlon at debian.org
Thu May 15 05:30:25 UTC 2008


tags 481284 wishlist
quit

On Thu, May 15, 2008 at 11:43:25AM +1000, Drew Parsons wrote:
> Package: openssl
> Version: 0.9.8g-10
> Severity: critical
> Tags: security

> The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to
> upgrade both openssl and libssl0.9.8.

> However openssl (0.9.8g-10) only declares the dependency 
> libssl0.9.8 (>= 0.9.8f-5)

> This means it is possible for some users to have upgraded openssl to
> protect against the vulnerability, while not realising they have left
> libssl0.9.8 at a vulnerable version. They could mistakenly believe
> they are protected, when they are not.

> I think it would be safer for openssl to explicitly declare a
> dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes
> place consistently.

Which is not how security updates for libraries have ever been done before,
nor is it likely that security updates will be done this way in the future.

Lowering the grossly overinflated severity.  There is nothing
release-critical here.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org





More information about the Pkg-openssl-devel mailing list