[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security updates without DSA?



I'm not sure if this is considered "normal and ok" but it seems
reasonable...

> Packages in question are, amongst others, fetchmail-ssl, kmail, kppp,
> korn, kit ksirc and several other KDE packages.  Since there are DSA's
> for openssl and kdelibs, my guess is that the aforementioned packages
> are "just" recompiles against the fixed libraries.  Should there not
> be DSA's for that as well?
>   After all, the package seems to be affected by the security issue to
> some extent (otherwise recompilation is rather pointless).

Well, the case with openssl is that any tcp service that uses openssl
may be exploited using a malformed packet.  This should not, however,
require a recompile - such is the beauty of shared libs..

Not sure about kdelibs, but I would assume that the problem with kdelibs
may have required a recompile, as it's a much more complex library than
openssl (and may have some different/added functionality rather than a
simple <10 line fix).

-Justin



Reply to: