> I have read the CVE advisory, why is DSA 875-1 only about openssl094? > Will there be other DSAs? I am asking because it seems strange to me > that Woody is already fixed but other, more important systems (the > current stable for example) will have to wait.
Typically, one DSA is issued for each affected source package. If this source package builds multiple binary packages (.deb files), all of them are given in the DSA. Same if both woody and sarge are affected. (There are some technical reasons why an approach based on source packages is desirable, although end users are rarely exposed to them and their names, so it can be confusing from time to time.) In the present case, the update was for source package openssl094, which is not present in sarge. The other updates will follow. For the time being, be assured that this is just a minor vulnerability. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
