Re: [SECURITY] [DSA 881-1] New OpenSSL 0.9.6 packages fix cryptographic weakness

[Turbo Fredriksson <turbo@debian.org>]

Quoting joey@infodrom.org (Martin Schulze):

> --------------------------------------------------------------------------
> Debian Security Advisory DSA 881-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> November 4th, 2005                      http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package        : openssl096
> Vulnerability  : cryptographic weakness
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2005-2969
>
> Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
> (OpenSSL) library that can allow an attacker to perform active
> protocol-version rollback attacks that could lead to the use of the
> weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
> 1.0.
>
> The following matrix explains which version in which distribution has
> this problem corrected.
>
>                 oldstable (woody)      stable (sarge)     unstable (sid)
> openssl          0.9.6c-2.woody.8       0.9.7e-3sarge1      0.9.8-3
> openssl 094      0.9.4-6.woody.4             n/a              n/a
> openssl 095      0.9.5a-6.woody.6            n/a              n/a
> openssl 096           n/a               0.9.6m-1sarge1        n/a
> openssl 097           n/a                    n/a            0.9.7g-5
>
> We recommend that you upgrade your libssl packages.

With an upgrade like this, doesn't all the packages that links with OpenSSL
needs to be re-packaged?

-- 
Ortega nuclear FSF Qaddafi congress subway president jihad Mossad
terrorist Ft. Bragg Ft. Meade arrangements spy DES
[See http://www.aclu.org/echelonwatch/index.html for more about this]
[Or http://www.europarl.eu.int/tempcom/echelon/pdf/rapport_echelon_en.pdf]
If neither of these works, try http://www.aclu.org and search for echelon.