Re: [buildd] Implications of DSA-1571-1

[Michael Schmitz <schmitz@mail.biophys.uni-duesseldorf.de>]

> > Well, those machines that were installed before etch, should be safe. Can
> > anyone confirm this?
>
> Only if you have an RSA key. DSA (as in, Digital Signature Algorithm)
> keys should be considered compromised, too, since they use the OpenSSL
> randomizer, which is buggy.

q650 has libssl0.9.7 0.9.7e-3sarge1 - the advisory said the bug was introduced 
with 0.9.8c. So it would seem sarge installs are in the clear. Can we 
confirm that in some way? Can we backport the fixes to sarge if necessary?

> DSA (as in, Debian System Administration) is however aware of the
> problem, and it should probably be fair to say that they'll give this
> higher priority than other issues currently.
>
> > Is there already a fixed version available in etch-m68k?
>
> Not that I know of. We should work on that.

I'm installing Stephen's packages on kullervo. crest is still 
unreachable.

N.B.: do install libedit2 and openssh-blacklist (from etch, arch-all) 
before installing the new openssh packages.

	Michael