Re: [SECURITY] [DSA 881-1] New OpenSSL 0.9.6 packages fix cryptographic weakness
- To: debian-devel@lists.debian.org
- Subject: Re: [SECURITY] [DSA 881-1] New OpenSSL 0.9.6 packages fix cryptographic weakness
- From: Turbo Fredriksson <turbo@debian.org>
- Date: Sun, 06 Nov 2005 12:29:33 +0100
- Message-id: <[🔎] 87sluaypya.fsf@pumba.bayour.com>
- In-reply-to: <m1EXzLq-000ofAC@finlandia.Infodrom.North.DE> (Martin Schulze's message of "Fri, 4 Nov 2005 12:03:18 +0100 (CET)")
- References: <m1EXzLq-000ofAC@finlandia.Infodrom.North.DE>
Quoting joey@infodrom.org (Martin Schulze):
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 881-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze
> November 4th, 2005 http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package : openssl096
> Vulnerability : cryptographic weakness
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2005-2969
>
> Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
> (OpenSSL) library that can allow an attacker to perform active
> protocol-version rollback attacks that could lead to the use of the
> weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
> 1.0.
>
> The following matrix explains which version in which distribution has
> this problem corrected.
>
> oldstable (woody) stable (sarge) unstable (sid)
> openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3
> openssl 094 0.9.4-6.woody.4 n/a n/a
> openssl 095 0.9.5a-6.woody.6 n/a n/a
> openssl 096 n/a 0.9.6m-1sarge1 n/a
> openssl 097 n/a n/a 0.9.7g-5
>
> We recommend that you upgrade your libssl packages.
With an upgrade like this, doesn't all the packages that links with OpenSSL
needs to be re-packaged?
--
Ortega nuclear FSF Qaddafi congress subway president jihad Mossad
terrorist Ft. Bragg Ft. Meade arrangements spy DES
[See http://www.aclu.org/echelonwatch/index.html for more about this]
[Or http://www.europarl.eu.int/tempcom/echelon/pdf/rapport_echelon_en.pdf]
If neither of these works, try http://www.aclu.org and search for echelon.
Reply to: