Re: CVE-2009-3555 not addressed in OpenSSL
> Debian, being a volunteer organization, has it's upsides and
> downsides. The downside here being without an active volunteer
> interested in this problem, nothing has happened.
>
> What is needed here is someone to step up to the plate: file some bugs;
> try to find the patches; backport and test them; etc. Bottom line,
> a little work and communication with maintainers of the affected
> packages would go a long way toward resolving this.
That was my initial goal in initiating this conversation. I provided
a link to the patches already:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/jaunty/openssl/jaunty-proposed/revision/34
I installed the jaunty package on my lenny machines and the ff error
console warning is gone:
https://debian-lenny.badercom.net/
It appears to work but whenever a package as critical as openssl is
modified it's important to have upstream take a look to make sure
everything looks good. Ubuntu may or may not have done this, I
haven't done the leg work to figure that out but it looks like that
could be the next step. If I/we/whoever can verify this or gain the
blessing of upstream would you consider updating the package Kurt if I
also coordinate this with the Debian apache and nginx packagers?
--
Kyle
Reply to: