Re: openssl-0.9.6c-2.woody.0 not vulnerable, right?

[Oleg <oleg@tw304h3.cpmc.columbia.edu>]

On Saturday 14 September 2002 06:17 pm, Eric G. Miller wrote:
> On Sat, Sep 14, 2002 at 01:11:34PM -0700, Alan Su wrote:
> > i just want to check on something here.  when i first upgraded to
> > woody, i read <http://www.debian.org/security/2002/dsa-136>.  this
> > advisory seems to indicate that the 0.9.6c version of openssl that is
> > in woody has been patched to eliminate the widely-discussed
> > vulnerability in openssl versions before 0.9.6e.  in other words, i
> > believe that even though the base version of the openssl code that was
> > used to build this package is vulnerable, the code was patched before
> > the package was built.
>
> The answer for your system(s) probably can be found in
> /usr/share/doc/openssl/changelog.Debian.gz
>
> I show it fixed 30 Jul 2002 for 0.9.6e-1, but I'm using unstable. It's
> not unusually for Debian to back port security fixes (actually it's
> SOP, AFAIK).

The changelog shows that some security patches have been back-ported, but 
from the description alone one can not be sure which ones and whether the 
current version has known security problems. Moreover, "urgency=low" would 
suggest that this is not THE BUG.

Regards
Oleg
------------- /usr/share/doc/libssl0.9.6/changelog.Debian.gz -----------

openssl (0.9.6c-2.woody.0) stable-security; urgency=low

  * SECURITY: patch for various overflows (upstream security patch
    0.9.6d->0.9.6e)

 -- Michael Stone <mstone@debian.org>  Mon, 29 Jul 2002 21:34:41 -0400

openssl (0.9.6c-1) unstable; urgency=low

  * new upstream version with a lot of bugfixes
  * remove directory /usr/include/openssl from openssl package (closes:
    bug #121226)  
  * remove selfdepends from libssl0.9.6
  * link openssl binary shared again

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat,  5 Jan 2002 
19:04:31 +0100