Florian Weimer wrote: > * Uwe Kleine-König: > > > The problem is that my system has a libssl from testing > > (i.e. 0.9.8g-8). > > Yeah, there isn't a good way to deal with that, especially as soon as > backports and locally built packages are involved. > > debsecan and the security tracker try to deal with this, but they can't > handle backports, either (but they tend to give false positives in that > case). > > > Maybe openssh-server should conflict with the vulnerable versions of > > libssl? > > The list is pretty long, so this is hardly feasible. OK.
> > Or the newly generated keys should be checked resulting in a warning > > if they are still vulnerable. > > That's probably a good idea. > > > A fixed libssl version for testing-proposed-updated would be > > great, too. (But this it OT for this report.) > > testing has received the fixed version on 2008-05-11. There's no need > to involve testing-proposed-updates. You're right. I saw that I got a new openssl after I installed the security updates and already thought that this part of my report is obsolete. As usual that happend after sending the report :-( Best regards Uwe -- Uwe Kleine-König, Software Engineer Digi International GmbH Branch Breisach, Küferstrasse 8, 79206 Breisach, Germany Tax: 315/5781/0242 / VAT: DE153662976 / Reg. Amtsgericht Dortmund HRB 13962 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
