Re: openssl wheezy update

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: openssl@packages.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: openssl wheezy update
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 1 Feb 2017 00:29:26 +0100
Message-id: <[🔎] 20170131232925.4ys5gfshc6icyitl@roeckx.be>
In-reply-to: <[🔎] 3266d8d9-0355-ca19-9b05-8bccf84684f1@debian.org>
References: <[🔎] 3266d8d9-0355-ca19-9b05-8bccf84684f1@debian.org>

On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote:
> Hi Kurt,
> 
> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I have
> done some smoke testing on it and it seems fine, but I haven't been able to
> verify the three fixes as I can't find exploits for them (there is mention of
> one for CVE-2016-8610 in [1] but I can't find the actual file).
> 
> Do you have any suggestion for how to verify / test the update?
> 
> Do you want to upload this or should I take care of it?

Feel free to upload this.

The usptream version in jessie and wheezy, so the patches should
just apply.

I only have a test for the 32 bit crashes. It would require to get
the fuzzers working in the 1.0.1 version, which should be that
hard.

The other would be a cache timing attack, and I really have no
good way to test that.

I suggest you just upload it.

Kurt

Reply to:

References:
- openssl wheezy update
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: Wheezy update of xrdp?
Next by Date: Re: Wheezy update of mysql-5.5?
Previous by thread: openssl wheezy update
Next by thread: LTS report for January
Index(es):
- Date
- Thread