Re: [buildd] Implications of DSA-1571-1

To: Michael Schmitz <schmitz@mail.biophys.uni-duesseldorf.de>
Cc: Ingo Juergensmann <ij@2008.bluespice.org>, debian-68k@lists.debian.org
Subject: Re: [buildd] Implications of DSA-1571-1
From: Wouter Verhelst <w@uter.be>
Date: Thu, 15 May 2008 09:06:23 +0200
Message-id: <[🔎] 20080515070623.GA12603@country.nixsys.be>
In-reply-to: <[🔎] alpine.DEB.1.00.0805150020340.2749@zirkon.biophys.uni-duesseldorf.de>
References: <[🔎] 20080513180053.GK9921@2004.bluespice.org> <[🔎] 20080514162951.GA17105@country.nixsys.be> <[🔎] alpine.DEB.1.00.0805150020340.2749@zirkon.biophys.uni-duesseldorf.de>

On Thu, May 15, 2008 at 02:16:25AM +0200, Michael Schmitz wrote:
>>> Well, those machines that were installed before etch, should be safe. Can
>>> anyone confirm this?
>>
>> Only if you have an RSA key. DSA (as in, Digital Signature Algorithm)
>> keys should be considered compromised, too, since they use the OpenSSL
>> randomizer, which is buggy.
>
> q650 has libssl0.9.7 0.9.7e-3sarge1 - the advisory said the bug was 
> introduced with 0.9.8c. So it would seem sarge installs are in the clear. 
> Can we confirm that in some way?

Ah, yes, that's true.

> Can we backport the fixes to sarge if necessary?

It isn't.

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22

Reply to:

References:
- [buildd] Implications of DSA-1571-1
  - From: Ingo Juergensmann <ij@2008.bluespice.org>
- Re: [buildd] Implications of DSA-1571-1
  - From: Wouter Verhelst <wouter@debian.org>
- Re: [buildd] Implications of DSA-1571-1
  - From: Michael Schmitz <schmitz@mail.biophys.uni-duesseldorf.de>

Prev by Date: Re: [buildd] Implications of DSA-1571-1
Next by Date: Re: [buildd] Implications of DSA-1571-1
Previous by thread: Re: [buildd] Implications of DSA-1571-1
Next by thread: Re: [buildd] Implications of DSA-1571-1
Index(es):
- Date
- Thread