Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness

To: 7nrmi1s02@sneakemail.com
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 29 Oct 2005 15:27:26 +0200
Message-id: <[🔎] 87mzkssbb5.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 9022-30763@sneakemail.com> (7nrmi1s02@sneakemail.com's message of "Sat, 29 Oct 2005 10:56:35 +0200")
References: <m1EV3ZS-000p6FC@finlandia.Infodrom.North.DE> <[🔎] 9022-30763@sneakemail.com>

> I have read the CVE advisory, why is DSA 875-1 only about openssl094?
> Will there be other DSAs? I am asking because it seems strange to me
> that Woody is already fixed but other, more important systems (the
> current stable for example) will have to wait.

Typically, one DSA is issued for each affected source package.  If
this source package builds multiple binary packages (.deb files), all
of them are given in the DSA.  Same if both woody and sarge are
affected.  (There are some technical reasons why an approach based on
source packages is desirable, although end users are rarely exposed to
them and their names, so it can be confusing from time to time.)

In the present case, the update was for source package openssl094,
which is not present in sarge.  The other updates will follow.  For
the time being, be assured that this is just a minor vulnerability.

Reply to:

References:
- Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
  - From: 7nrmi1s02@sneakemail.com

Prev by Date: Re: CAN to CVE: changing changelogs?
Next by Date: Re: CAN to CVE: changing changelogs?
Previous by thread: Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
Next by thread: Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
Index(es):
- Date
- Thread