Re: [stable] openssl rfc5746 / renegotiation support

[Peter Palfrader <weasel@debian.org>]

Hey release folks,

On Tue, 16 Nov 2010, Kurt Roeckx wrote:

> I would like to add rfc5746 support to openssl in stable, so that
> CVE-2009-3555 can be fixed.  But adding that support means that
> the old renegotiation doesn't work anymore unless you set an
> option.


> There are atleast 2 packages that have an issue with this that I'm
> currently aware of:

> - tor: It should always disable the new renegotiation.  Running it
>   as a server doesn't work.  Newer versions than in stable, like
>   the version in volatile, do work properly with any version of
>   openssl.  The maintainer and upstream favour dropping the
>   version currently in stable.

What's the verdict here?

Are we going to update openssl in stable (either via -security or with
the next point release), and if yes, what are we doing with tor?

When we throw out tor 0.2.0.x from lenny, are we replacing it with the
version currently in lenny-volatile?

Cheers,
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/