Re: Packages that need to be rebuilt agaisnt libssl0.9.8
In linux.debian.devel, you wrote:
>> beneficial to at least document such security issues, by informing security
>> team, filing an RC bug on your own package, and mentioning the CVE ID (or at
>> the very least, a short description of the bug fixed) in your changelog entry.
> It is documented in bug #314465. But it is not really a bug which you
> can fix by backporting. It's about MD5 hashes being insecure. I talked
> with upstream about the issue and follow their arguments:
Well, it's not that MD5 is secure in 0.9.8, it's just that the default hash
has been changed. So changing /etc/openssl.cnf's "default_md = md5" to
"default_md = sha1" would have the same effect, as sha1 is already present
in 0.9.7; only the more complex SHA variants have been introduced in 0.9.8.