Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
I don't fully understand DSA 875-1. I waited with this mail because I
thought I could figure it out myself but I can't.
Martin Schulze wrote:
> Package : openssl094
> Vulnerability : cryptographic weakness
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2005-2969
I have read the CVE advisory, why is DSA 875-1 only about openssl094?
Will there be other DSAs? I am asking because it seems strange to me
that Woody is already fixed but other, more important systems (the
current stable for example) will have to wait.
> The following matrix explains which version in which distribution has
> this problem corrected.
>
> oldstable (woody) stable (sarge) unstable (sid)
> openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3
> openssl 094 0.9.4-6.woody.4 n/a n/a
> openssl 095 0.9.5a-6.woody.6 n/a n/a
> openssl 096 n/a 0.9.6m-1sarge1 n/a
> openssl 097 n/a n/a 0.9.7g-5
>
> We recommend that you upgrade your libssl packages.
Where is the binary package of openssl 0.9.7e-3sarge1? I could not find
it on security.debian.org. If I overlooked it, could someone please
provide me with a pointer to it?
> Debian GNU/Linux 3.0 alias woody
I hope there will be other DSAs covering this CVE.
Please cc me as I am not subscribed to this list any more.
Reply to: