Drew Parsons
2008-May-15 01:43 UTC
[Secure-testing-team] Bug#481284: openssl should Depends: libssl0.9.8 (>=0.9.8g-9)
Package: openssl Version: 0.9.8g-10 Severity: critical Tags: security The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to upgrade both openssl and libssl0.9.8. However openssl (0.9.8g-10) only declares the dependency libssl0.9.8 (>= 0.9.8f-5) This means it is possible for some users to have upgraded openssl to protect against the vulnerability, while not realising they have left libssl0.9.8 at a vulnerable version. They could mistakenly believe they are protected, when they are not. I think it would be safer for openssl to explicitly declare a dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes place consistently. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, ''unstable''), (1, ''experimental'') Architecture: i386 (i686) Kernel: Linux 2.6.25 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libssl0.9.8 0.9.8g-8 SSL shared libraries ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime openssl recommends no packages. -- no debconf information