On Mon, Jun 20, 2005 at 03:53:38PM +0200, Thomas Biege wrote:
On Mon, Jun 20, 2005 at 02:17:05PM +0200, Ralph Seichter wrote:
Thomas Biege wrote:
Err, I was too much in the security-scope. We also fix non-security bugs. But that depends on the bug and the problem it causes.
Well, one could consider any bug in OpenSSL as being a security bug, considering the nature of the software... ;-)
What bugs do you like to see to be fixed?
http://www.openssl.org/news/vulnerabilities.html mentions CAN-2004-0975 as affecting OpenSSL 0.9.7d and being fixed in version
This bug will be fixed together with the next update of openssl. Frankly this is a very minor bug. :)
0.9.7f. http://www.openssl.org/news/changelog.html lists a whole bunch of fixes, changes and additions between 0.9.7d and 0.9.7g, so I consider it worthwhile to have the latest stable OpenSSL version (0.9.7g) available on the servers under my responsibility.
We don't do version updates (with some exceptions) due to bad sideeffects.
As Addendum: We fix the security issues present in those libraries, but do not bump the version. Use either rpm -q --changelog openssl|less or our website to check for the CAN numbers we fixed and released updates for. Ciao, Marcus