thr3ads.net - Secure testing team - [Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9) [May 2008]

If this information is useful, please help other people find it:
Share via:

Drew Parsons

2008-May-15 01:43 UTC

[Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)

Package: openssl
Version: 0.9.8g-10
Severity: critical
Tags: security

The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to
upgrade both openssl and libssl0.9.8.

However openssl (0.9.8g-10) only declares the dependency 
libssl0.9.8 (>= 0.9.8f-5)

This means it is possible for some users to have upgraded openssl to
protect against the vulnerability, while not realising they have left
libssl0.9.8 at a vulnerable version. They could mistakenly believe
they are protected, when they are not.

I think it would be safer for openssl to explicitly declare a
dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes
place consistently.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.25
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6                  2.7-10            GNU C Library: Shared libraries
ii  libssl0.9.8            0.9.8g-8          SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

openssl recommends no packages.

-- no debconf information

Secure testing team - May 2008 - Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)

[Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)