On 2014-08-02 17:43, Axel Beckert wrote:
Hi David, David Kalnischkies wrote:
[...]
It is also a remark on how people think they have installed a security fix by installing pkgA, while the fix is actually in libobscureA…O.o While I can imagine that people don't exactly know in which dependency the actual issue is located, I can't believe that people really try to fix issues that way.
While it's not precisely equivalent, there's a reason that openssl DSAs now include the text "It's important that you upgrade the libssl1.0.0 package and not just
the openssl package". Regards, Adam