Re: OpenSSL version 0.9.7e ?!

To: debian-user@lists.debian.org
Subject: Re: OpenSSL version 0.9.7e ?!
From: "Kevin B. McCarty" <kmccarty@Princeton.EDU>
Date: Thu, 16 Nov 2006 12:08:38 -0800
Message-id: <[🔎] 455CC546.405@princeton.edu>
In-reply-to: <[🔎] 9f76a5860611150836q33811e26y198e795b704f2ede@mail.gmail.com>
References: <[🔎] 9f76a5860611150836q33811e26y198e795b704f2ede@mail.gmail.com>

Hi Nicolas,

Nicolas Pillot wrote:

> I had a strong *shrug* when i noticed that my stable system
> (originally woody, upgraded to sarge without kernel change) still had
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If you are running Debian-provided kernels, you *really* should upgrade
to a kernel from Sarge.  The kernels from Woody have not been
security-supported for a LONG time, and there have been quite a few
serious security issues discovered in the kernel since then.  This is
potentially a much bigger deal than the OpenSSL issues you are concerned
about.

> OpenSSL version 0.9.7e installed, despite a dayly dist-upgrade.
> 
> After looking at debian's sarge repository, i saw that the most up to
> date package is 0.9.7e-3sarge4, which i have (0.9.7 dates back from
> 2004). My question is, why on earth don't we have a newer version ?
> 
> I counted about 12 different releases, either 0.9.7- or 0.9.8-based,
> each including security fixes. I could understand the will not to
> upgrade to 0.9.8, but i count 7 more recent 0.9.7 versions (up to
> 0.9.7L version, and the stable debian package build version is -4...
> 
> Even with a backport of the security fixes, i can't guess how the ssl
> pacakge i have 0.9.7e-3sarge4 could be the most up-to-date one
> (security wise).
> 
> I though that all the security fixes were included into sarge, am i wrong ?
> If someone could give me some details, i'd be quite happy to learn :-)

Debian does not put new upstream releases, even point releases, into a
stable distribution.  What happens is that only the security fixes are
backported into a package in stable.  This minimizes the possibility for
the stable release to be de-stabilized by new code introduced upstream.
So while the version of libssl0.9.7 in Sarge is 0.9.7e-3sarge4, it
should nevertheless incorporate all the security fixes present in 0.9.7L.

If you look at the top several entries in
/usr/share/doc/libssl0.9.7/changelog.Debian.gz, you can see that the
following problems have been fixed in the Debian package in Sarge since
the upstream release of 0.9.7e:

CVE-2006-2940
CVE-2006-2937
CVE-2006-3738
CVE-2006-4343
CVE-2006-2940
CVE-2006-4339
CVE-2005-2969
CAN-2004-0975

If you are aware of other security-related bugs that have been fixed in
the latest upstream version of openssl but are not fixed in the Debian
package in Sarge, please contact the Debian security team or file a
severity "grave" bug in the Debian BTS!

best regards,

-- 
Kevin B. McCarty <kmccarty@princeton.edu>   Physics Department
WWW: http://www.princeton.edu/~kmccarty/    Princeton University
GPG: public key ID 4F83C751                 Princeton, NJ 08544

Reply to:

Follow-Ups:
- Re: OpenSSL version 0.9.7e ?!
  - From: Dave Ewart <davee@sungate.co.uk>

References:
- OpenSSL version 0.9.7e ?!
  - From: "Nicolas Pillot" <nicolas.pillot@gmail.com>

Prev by Date: Re: OpenSSL version 0.9.7e ?!
Next by Date: alsa: no master mixer control
Previous by thread: Re: OpenSSL version 0.9.7e ?!
Next by thread: Re: OpenSSL version 0.9.7e ?!
Index(es):
- Date
- Thread