On Sep 7, 2017, at 10:55 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
Am 07.09.2017 um 15:06 schrieb Alan DeKok:
So removing security checks is just not going to happen. Yeah, I actually wanted to second that.
But since everyone including FR relies on the dynamically linked libraries (SSL here), this specific security check boils down to checking the exact version, right?
Yes, because that's all we have.
I thought the discussion started by Rui is about this snippet from debian/rules: ---------------------------------------------------------------------------------------------------- # Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160). ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes) SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)" else SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)" endif ----------------------------------------------------------------------------------------------------- Or have I missed some additional checks?
The issue is that package managers fix (for example) 0.9.8j, and then release it as "0.9.8j-debian-alpha1". But that is the *package* name. The OpenSSL version is still "0.9.8j". And we have no way of knowing that the patch has been added.
So they still distribute 3.0.12, but with everything fixed. No. 3.0.15 would be "everything fixed". correct myself: They still distribute 3.0.12, but with security holes fixed in default config.
And missing lots of other fixes, documentation updates, etc. Alan DeKok.