[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dependency on vulnerable version?


Yes, its me again with my dumb questions:)

Zorp depends on libssl. 
DSA-393-1 says that libssl 0.9.7c-1 should be okay.
The shlibs file of libssl0.9.7 contains an unversioned dependency,
and because of that, zorp's dependency is also not versioned.

-Should I bother to give a dependency to a package version which
 is without known vulnerability( >= 0.9.7c-1) ?
 In a security-oriented software?
-If giving dependency to not-known-vulnerable version is okay,
 how should I do it in a clean way? In shlibs.local (which I just got
 rid of;) ?
-Is it nice behaviour from libssl to give unversioned dependency?

GNU GPL: csak tiszta forrásból

Reply to: