Re: Packages that need to be rebuilt agaisnt libssl0.9.8
- To: Christoph Martin <martin@uni-mainz.de>
- Cc: debian-devel@lists.debian.org
- Subject: Re: Packages that need to be rebuilt agaisnt libssl0.9.8
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Fri, 7 Oct 2005 14:53:27 +0200
- Message-id: <[🔎] 20051007125327.GA9164@informatik.uni-bremen.de>
- In-reply-to: <4UWIB-7Ox-21@gated-at.bofh.it>
- References: <4UqyJ-8gb-23@gated-at.bofh.it> <4UxAf-1hi-17@gated-at.bofh.it> <4UF4L-4Hj-23@gated-at.bofh.it> <4UGb3-6xj-45@gated-at.bofh.it> <4UHUm-VR-305@gated-at.bofh.it> <4UKxB-5q3-33@gated-at.bofh.it> <4ULka-6Jm-21@gated-at.bofh.it> <4UWIB-7Ox-21@gated-at.bofh.it>
In linux.debian.devel, you wrote:
>> beneficial to at least document such security issues, by informing security
>> team, filing an RC bug on your own package, and mentioning the CVE ID (or at
>> the very least, a short description of the bug fixed) in your changelog entry.
>
> It is documented in bug #314465. But it is not really a bug which you
> can fix by backporting. It's about MD5 hashes being insecure. I talked
> with upstream about the issue and follow their arguments:
Well, it's not that MD5 is secure in 0.9.8, it's just that the default hash
has been changed. So changing /etc/openssl.cnf's "default_md = md5" to
"default_md = sha1" would have the same effect, as sha1 is already present
in 0.9.7; only the more complex SHA variants have been introduced in 0.9.8.
Cheers,
Moritz
Reply to: