Re: OpenSSL 0.9.8 patches
Hello Paul,
On Mon, 20 Oct 2014, Paul Allen wrote:
> Right, but what about the patch for adding TLS_FALLBACK_SCSV? And the
> other vulnerabilities that were patched in 0.9.8zc?
I believe that Kurt Roeckx <kurt@roeckx.be> (one of the openssl
maintainers in Debian) intends to upload a package with those
fixes. I'm not sure when he will get to it though (I'm putting him in
copy).
If you need wish for more timely fixes, the LTS team is looking for more
resources (either human work time see
http://wiki.debian.org/LTS/Development or financial see
http://www.freexian.com/services/debian-lts.html).
Cheers,
> Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
> *) Session Ticket Memory Leak.
> *) Build option no-ssl3 is incomplete.
> *) Add support for TLS_FALLBACK_SCSV.
> *) Add additional DigestInfo checks.
>
> On 10/20/2014 01:22 PM, Johnathon Tinsley wrote:
> > POODLE is basically un-patchable. Just turn off SSLv3 in any application which requires encryption.
> >
> >
> >
> > ----- Original Message -----
> > From: "Paul Allen" <paul@inetz.com>
> > To: debian-lts@lists.debian.org
> > Sent: Monday, 20 October, 2014 7:51:12 PM
> > Subject: OpenSSL 0.9.8 patches
> >
> > Will the OpenSSL 0.9.8 package for Squeeze LTS be getting patched with
> > the latest security patches for the items such as POODLE? I've seen the
> > Wheezy and Sid packages patched, but nothing for Squeeze yet.
> >
> > Paul
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-lts-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 54456D9A.3020602@inetz.com">https://lists.debian.org/[🔎] 54456D9A.3020602@inetz.com
>
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: