On Mon, Feb 24, 2003 at 03:00:47PM +0100, Martin Schulze imagined: > -------------------------------------------------------------------------- > Debian Security Advisory DSA 253-1 security@debian.org > http://www.debian.org/security/ Martin Schulze > February 24th, 2003 http://www.debian.org/security/faq > -------------------------------------------------------------------------- > > Package : openssl > Vulnerability : information leak > Problem-Type : remote > Debian-specific: no > CVE Id : CAN-2003-0078 > > A vulnerability has been discovered in OpenSSL, a Secure Socket Layer > (SSL) implementation. In an upcoming paper, Brice Canvel (EPFL), > Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, > Ilion) describe and demonstrate a timing-based attack on CBC cipher > suites used in SSL and TLS. OpenSSL has been found to vulnerable to > this attack. > > For the stable distribution (woody) this problem has been > fixed in version 0.9.6c-2.woody.2. > > For the old stable distribution (potato) this problem has been fixed > in version 0.9.6c-0.potato.5. Please note that this updates the > version from potato-proposed-updates that superseds the version in > potato. > > For the unstable distribution (sid) this problem has been fixed in > version 0.9.7a-1. > > We recommend that you upgrade your openssl packages. [snip] On sid/unstable, I have installed all the recommended patches, including installing libssl0.9.7 (version 0.9.7a-1). I notice, however, that the old version i.e. ii libssl0.9.6 0.9.6i-1 SSL shared libraries (old version) is still installed. Furthermore there are a large number of installed software packages that show dependencies on the old version of libssl. Am I (potentially) vulnerable by virtue of have the old version above still installed on my system? Cheers, Raymond -- "You deserve to be able to cooperate openly and freely with other people who use software. You deserve free software." -Richard M. Stallman, Free Software Foundation, http://www.fsf.org
Attachment:
pgppH6cZ8BS0N.pgp
Description: PGP signature