[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness

I don't fully understand DSA 875-1. I waited with this mail because I
thought I could figure it out myself but I can't.

Martin Schulze wrote:
> Package        : openssl094
> Vulnerability  : cryptographic weakness
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2005-2969

I have read the CVE advisory, why is DSA 875-1 only about openssl094?
Will there be other DSAs? I am asking because it seems strange to me
that Woody is already fixed but other, more important systems (the
current stable for example) will have to wait.

> The following matrix explains which version in which distribution has
> this problem corrected.
> 
>                 oldstable (woody)      stable (sarge)     unstable (sid)
> openssl          0.9.6c-2.woody.8       0.9.7e-3sarge1      0.9.8-3
> openssl 094      0.9.4-6.woody.4             n/a              n/a
> openssl 095      0.9.5a-6.woody.6            n/a              n/a
> openssl 096           n/a               0.9.6m-1sarge1        n/a
> openssl 097           n/a                    n/a            0.9.7g-5
> 
> We recommend that you upgrade your libssl packages.

Where is the binary package of openssl 0.9.7e-3sarge1? I could not find
it on security.debian.org. If I overlooked it, could someone please
provide me with a pointer to it?

> Debian GNU/Linux 3.0 alias woody

I hope there will be other DSAs covering this CVE.
Please cc me as I am not subscribed to this list any more.
Reply to: