[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

Jeroen van Wolffelaar schrieb:
> On Thu, Oct 06, 2005 at 10:20:12PM +0200, Christoph Martin wrote:
>>a lot of people bugged me about the new version and upstream only recommends
>>this version. It also closes a grave security bug.
> Hm, that wasn't listed in the changelog. Anyway, there hasn't been a security
> advisory about openssl recently, did you backport a patch to the sarge version
> (and prefereably also, to the woody version) and informed the security team? I
> noticed you just requested help for maintaining openssl, so I can imagine that
> it's been hard to find to come up with a patch, but it would at least be
> beneficial to at least document such security issues, by informing security
> team, filing an RC bug on your own package, and mentioning the CVE ID (or at
> the very least, a short description of the bug fixed) in your changelog entry.

It is documented in bug #314465. But it is not really a bug which you
can fix by backporting. It's about MD5 hashes being insecure. I talked
with upstream about the issue and follow their arguments:

>The default digest in 0.9.8 and the cvs head is SHA-1
>(we didn't change 0.9.7 as we didn't want to break existing
>implementations depending on the default digest being MD5).
>About SHA-256 etc. : they are included in the soon to
>appear 0.9.8.

The bug had been release critical and has the security tag. I downgraded
it to get the last 0.9.7 version into testing before uploading 0.9.8.


Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  Christoph.Martin@Uni-Mainz.DE
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: