[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [stable] openssl rfc5746 / renegotiation support

On Fri, Nov 19, 2010 at 11:35:48AM +0100, Peter Palfrader wrote:
> On Tue, 16 Nov 2010, Kurt Roeckx wrote:
> > I would like to add rfc5746 support to openssl in stable, so that
> > CVE-2009-3555 can be fixed.  But adding that support means that
> > the old renegotiation doesn't work anymore unless you set an
> > option.
> > There are atleast 2 packages that have an issue with this that I'm
> > currently aware of:
> > - tor: It should always disable the new renegotiation.  Running it
> >   as a server doesn't work.  Newer versions than in stable, like
> >   the version in volatile, do work properly with any version of
> >   openssl.  The maintainer and upstream favour dropping the
> >   version currently in stable.
> What's the verdict here?
> Are we going to update openssl in stable (either via -security or with
> the next point release), and if yes, what are we doing with tor?

That's up to security. 

> When we throw out tor 0.2.0.x from lenny, are we replacing it with the
> version currently in lenny-volatile?

I'd be ok with that.

Kind regards
Philipp kern 

Attachment: signature.asc
Description: Digital signature

Reply to: