dependency on vulnerable version?
Hi!
Yes, its me again with my dumb questions:)
Zorp depends on libssl.
DSA-393-1 says that libssl 0.9.7c-1 should be okay.
The shlibs file of libssl0.9.7 contains an unversioned dependency,
and because of that, zorp's dependency is also not versioned.
Questions:
-Should I bother to give a dependency to a package version which
is without known vulnerability( >= 0.9.7c-1) ?
In a security-oriented software?
-If giving dependency to not-known-vulnerable version is okay,
how should I do it in a clean way? In shlibs.local (which I just got
rid of;) ?
-Is it nice behaviour from libssl to give unversioned dependency?
--
GNU GPL: csak tiszta forrásból
Reply to: