Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 25 Feb 2003 12:20:09 -0500
Message-id: <[🔎] 20030225172009.GI485@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20030225004120.GC11307@magma.ca>
References: <m18nJ9z-000ogPC@finlandia.Infodrom.North.DE> <[🔎] 20030225004120.GC11307@magma.ca>

On Mon, Feb 24, 2003 at 07:41:20PM -0500, Raymond Wood wrote:

> > For the unstable distribution (sid) this problem has been fixed in
> > version 0.9.7a-1.
> > 
> > We recommend that you upgrade your openssl packages.
> [snip]
> 
> On sid/unstable, I have installed all the recommended patches,
> including installing libssl0.9.7 (version 0.9.7a-1).
> 
> I notice, however, that the old version i.e.
>   ii  libssl0.9.6      0.9.6i-1         SSL shared libraries (old version)
> is still installed.  Furthermore there are a large number of
> installed software packages that show dependencies on the old
> version of libssl.
> 
> Am I (potentially) vulnerable by virtue of have the old version
> above still installed on my system?

Read /usr/share/doc/libssl0.9.6/changelog.Debian.gz.

-- 
 - mdz

Reply to:

References:
- Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
  - From: Raymond Wood <raywood@magma.ca>

Prev by Date: Re: Nessus 2.0.0 packages available
Next by Date: Report to Recipient(s)
Previous by thread: Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
Next by thread: Apache Virtual Hosts Chroot ?
Index(es):
- Date
- Thread