Re: Security updates without DSA?
I'm not sure if this is considered "normal and ok" but it seems
> Packages in question are, amongst others, fetchmail-ssl, kmail, kppp,
> korn, kit ksirc and several other KDE packages. Since there are DSA's
> for openssl and kdelibs, my guess is that the aforementioned packages
> are "just" recompiles against the fixed libraries. Should there not
> be DSA's for that as well?
> After all, the package seems to be affected by the security issue to
> some extent (otherwise recompilation is rather pointless).
Well, the case with openssl is that any tcp service that uses openssl
may be exploited using a malformed packet. This should not, however,
require a recompile - such is the beauty of shared libs..
Not sure about kdelibs, but I would assume that the problem with kdelibs
may have required a recompile, as it's a much more complex library than
openssl (and may have some different/added functionality rather than a
simple <10 line fix).