Re: Packages that need to be rebuilt agaisnt libssl0.9.8

To: Christoph Martin <martin@uni-mainz.de>
Cc: debian-devel@lists.debian.org
Subject: Re: Packages that need to be rebuilt agaisnt libssl0.9.8
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 7 Oct 2005 14:53:27 +0200
Message-id: <[🔎] 20051007125327.GA9164@informatik.uni-bremen.de>
In-reply-to: <4UWIB-7Ox-21@gated-at.bofh.it>
References: <4UqyJ-8gb-23@gated-at.bofh.it> <4UxAf-1hi-17@gated-at.bofh.it> <4UF4L-4Hj-23@gated-at.bofh.it> <4UGb3-6xj-45@gated-at.bofh.it> <4UHUm-VR-305@gated-at.bofh.it> <4UKxB-5q3-33@gated-at.bofh.it> <4ULka-6Jm-21@gated-at.bofh.it> <4UWIB-7Ox-21@gated-at.bofh.it>

In linux.debian.devel, you wrote:
>> beneficial to at least document such security issues, by informing security
>> team, filing an RC bug on your own package, and mentioning the CVE ID (or at
>> the very least, a short description of the bug fixed) in your changelog entry.
>
> It is documented in bug #314465. But it is not really a bug which you
> can fix by backporting. It's about MD5 hashes being insecure. I talked
> with upstream about the issue and follow their arguments:

Well, it's not that MD5 is secure in 0.9.8, it's just that the default hash
has been changed. So changing /etc/openssl.cnf's "default_md = md5" to
"default_md = sha1" would have the same effect, as sha1 is already present
in 0.9.7; only the more complex SHA variants have been introduced in 0.9.8.

Cheers,
        Moritz

Reply to:

Prev by Date: Re: Packages that need to be rebuilt agaisnt libssl0.9.8
Next by Date: Re: dh_libtool proposal (-dev dependencies on -dev from libtool)
Previous by thread: Re: Packages that need to be rebuilt agaisnt libssl0.9.8
Next by thread: Re: localhost.localdomain
Index(es):
- Date
- Thread