On Fri 12 Aug 2016 at 11:04:31 (+0200), Daniel wrote:
> Is there a problem with the version numbering for the packages
> "openssl" and "libssl1.0.0"? It seems I get the version from
> jessie/main and that the version from jessie/updates/main is
> ignored because of the extra letter in the version number.
> Isn't 1.0.1k-3+deb8u5 the prefered version here? If so, then
> I suspect lots of Debian stable users are stuck on a version
> without the latest security patches, which I would consider
> very bad.
>
> Or is it just me being confused or have missed something?
Yes. But if you want to avoid tackling the Debian version system,
just look at the/any package's changelog and the versions/dates
within. Running jessie,
$ zcat /usr/share/doc/libssl1.0.0/changelog.Debian.gz | head -n 30
openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
* add Update-S-MIME-certificates.patch to update expired certificates to
pass the test suite
-- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Wed, 11 May 2016
23:22:52 +0200
openssl (1.0.1t-1+deb8u1) jessie; urgency=medium
[ Sebastian Andrzej Siewior ]
* Update to 1.0.1t stable release (drop applied patches and refresh existing
ones).
- Use alternate trust chains part of 1.0.1n (Closes: #774882).
- Use correct digest when exporting keying material (Closes: #807057)
- Fix CVE-2015-3197 (not affected, SSLv2 disabled)
- Fix CVE-2015-1793 (1.0.1n+ is affected and last upload was k)
-- Kurt Roeckx <k...@roeckx.be> Fri, 06 May 2016 15:56:09 +0200
openssl (1.0.1k-3+deb8u5) jessie-security; urgency=medium
* Fix CVE-2016-2105
* Fix CVE-2016-2106
* Fix CVE-2016-2107
* Fix CVE-2016-2108
* Fix CVE-2016-2109
* Fix CVE-2016-2176
-- Kurt Roeckx <k...@roeckx.be> Tue, 03 May 2016 18:44:21 +0200
$
Cheers,
David.
