On Sat, Sep 14, 2002 at 06:39:33PM -0400, Oleg wrote: > The changelog shows that some security patches have been back-ported, but > from the description alone one can not be sure which ones and whether the > current version has known security problems. Moreover, "urgency=low" would > suggest that this is not THE BUG. The changelog indicates that the security fix incorporated the upstream changes from version d to version e, which are the changes that fix the vulnerability exploited by this latest worm. Urgency=low is pretty meaningless on uploads made by the security team, especially when you consider that the bugfix was for a remote vulnerability. There's no such thing as a low priority when dealing with remote security issues. And yes, the OpenSSL packages on security.debian.org do seem to be safe. They have been tested by members of the security team against the code for the new worm. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpY8arAUenPc.pgp
Description: PGP signature