Re: openssl-0.9.6c-2.woody.0 not vulnerable, right?
On Saturday 14 September 2002 06:17 pm, Eric G. Miller wrote:
> On Sat, Sep 14, 2002 at 01:11:34PM -0700, Alan Su wrote:
> > i just want to check on something here. when i first upgraded to
> > woody, i read <http://www.debian.org/security/2002/dsa-136>. this
> > advisory seems to indicate that the 0.9.6c version of openssl that is
> > in woody has been patched to eliminate the widely-discussed
> > vulnerability in openssl versions before 0.9.6e. in other words, i
> > believe that even though the base version of the openssl code that was
> > used to build this package is vulnerable, the code was patched before
> > the package was built.
>
> The answer for your system(s) probably can be found in
> /usr/share/doc/openssl/changelog.Debian.gz
>
> I show it fixed 30 Jul 2002 for 0.9.6e-1, but I'm using unstable. It's
> not unusually for Debian to back port security fixes (actually it's
> SOP, AFAIK).
The changelog shows that some security patches have been back-ported, but
from the description alone one can not be sure which ones and whether the
current version has known security problems. Moreover, "urgency=low" would
suggest that this is not THE BUG.
Regards
Oleg
------------- /usr/share/doc/libssl0.9.6/changelog.Debian.gz -----------
openssl (0.9.6c-2.woody.0) stable-security; urgency=low
* SECURITY: patch for various overflows (upstream security patch
0.9.6d->0.9.6e)
-- Michael Stone <mstone@debian.org> Mon, 29 Jul 2002 21:34:41 -0400
openssl (0.9.6c-1) unstable; urgency=low
* new upstream version with a lot of bugfixes
* remove directory /usr/include/openssl from openssl package (closes:
bug #121226)
* remove selfdepends from libssl0.9.6
* link openssl binary shared again
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 5 Jan 2002
19:04:31 +0100
Reply to: