>> -----Original Message----- >> From: Frank de Brabander [mailto:braban...@fox-it.com] >> Sent: donderdag 7 juni 2012 11:36 >> To: Samuli Seppänen; openvpn-devel@lists.sourceforge.net >> Subject: Re: [Openvpn-devel] PolarSSL 1.1.0 support? >> >> Maybe this should actually be changed to >= 1.1.2, since there is a >> security issue with versions from 0.99-pre4 up to and including >> PolarSSL 1.1.1. >> > The trouble there is that some distro's tend to only backport the security > patches, and not the version patches. This would throw an extra obstacle in > their way. Is it really our responsibility to verify that you are using a > secure version of an SSL library? > > Adriaan I think it's the packager's responsibility to use/depend on secure versions of libraries - either latest ones or ones with backported security fixes. Also, if we did this for PolarSSL, we'd have to do it for OpenSSL and all other dependencies as well.
Samuli