Package: openssl Version: 0.9.8g-10 Severity: critical Tags: security The SSL vulnerability was fixed this week in v0.9.8g-9, so we need to upgrade both openssl and libssl0.9.8.
However openssl (0.9.8g-10) only declares the dependency libssl0.9.8 (>= 0.9.8f-5) This means it is possible for some users to have upgraded openssl to protect against the vulnerability, while not realising they have left libssl0.9.8 at a vulnerable version. They could mistakenly believe they are protected, when they are not. I think it would be safer for openssl to explicitly declare a dependence on libssl0.9.8 (>=0.9.8g-9) so to ensure the upgrade takes place consistently. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.25 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libssl0.9.8 0.9.8g-8 SSL shared libraries ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime openssl recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
