On Wed, Dec 28, 2005 at 12:30:53PM +0100, Javier Fernández-Sanguino Peña wrote: > On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
> > > Since there is no libssl097-dev any longer I guess I'll have to recompile > > > all > > > packages. > > It should actually be possible to fix this with binNMUs on the autobuilders, > > I think. I'll go ahead and queue those now. > Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've just > recompiled all packages (libnasl, nessus-plugins and nessus-core) to try to > get it working and I still get this: Already done, though; as I said, it doesn't make things any *worse*, and this is an RC bug in libssl0.9.8 that needs to be fixed. Having libnasl stay linked against libssl0.9.7, and then accidentally get broken in a security reupload, wouldn't be good either, so we might as well have binaries in the archive that correspond to the current sources. On Wed, Dec 28, 2005 at 12:47:48PM +0100, Javier Fernández-Sanguino Peña wrote: > On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote: > > > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and > > > 0.9.8 > > Ok, I don't see this either: > > $ ldd /tmp/nessus/usr/sbin/nessusd|grep ssl > > libssl.so.0.9.8 => not found > > $ > Funny, it seems that ldd output varies _if_ you have this: Right... the problem with ldd is that it recurses library dependencies, so it doesn't really tell you where the problem lies. :) > So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will > not "see" nessusd linking against both. For archs that have compiled libnasl > aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at > least, since the packages for i386 were compiled in August by me. Which was > previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October). It was actually the case on all architectures, fwiw. > > To me, this bug looks like it's just an instance > > of #338006. > Indeed, it looks like this might be the end issue. Is it a good idea to force > everyone to use a buggy library? Wouldn't it make sense to provide a > libssl097-dev to prevent breakage for those packages that get bitten by this > bug? As mentioned, the bug in libssl0.9.8 *is* RC; and I don't think we're going to be reverting all of these packages to remove libssl0.9.8 from etch; so I believe it's better to focus on fixing openssl instead of trying to work around it. In the meantime, I guess I would have to recommend that users who need nessus use the version from stable. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
