On Fri, Nov 19, 2010 at 11:35:48AM +0100, Peter Palfrader wrote: > On Tue, 16 Nov 2010, Kurt Roeckx wrote: > > I would like to add rfc5746 support to openssl in stable, so that > > CVE-2009-3555 can be fixed. But adding that support means that > > the old renegotiation doesn't work anymore unless you set an > > option. > > There are atleast 2 packages that have an issue with this that I'm > > currently aware of: > > > - tor: It should always disable the new renegotiation. Running it > > as a server doesn't work. Newer versions than in stable, like > > the version in volatile, do work properly with any version of > > openssl. The maintainer and upstream favour dropping the > > version currently in stable. > What's the verdict here? > > Are we going to update openssl in stable (either via -security or with > the next point release), and if yes, what are we doing with tor? That's up to security. > When we throw out tor 0.2.0.x from lenny, are we replacing it with the > version currently in lenny-volatile? I'd be ok with that. Kind regards Philipp kern
Attachment:
signature.asc
Description: Digital signature