Re: embedding openssl source in sslcan
Hi,
Am 2. Januar 2017 11:35:30 MEZ, schrieb Thijs Kinkhorst <thijs@debian.org>:
>On Fri, December 23, 2016 18:53, Moritz Mühlenhoff wrote:
>> Sebastian Andrzej Siewior <sebastian@breakpoint.cc> schrieb:
>>
>> Please use team@security.debian.org if you want to reach the security
>> team, not debian-security@ldo.
>>
>>> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
>>> source?
>>
>> That's for post-stretch, right? Right now it can simply link against
>> the 1.0.2 copy,
>>
>> Seems fine to me for that use case, and it won't need any security
>> updates to the embedded openssl copy for all practical purposes
>anyway.
>
>I agree, the risk for this use case is quite low,
I don't think that's true: there are already attacks against forensic software out there, and if you have e.g. remote code execution in SSL client code, any usage of sslscan built against an unpatched openssl-insecure would be quite dangerous.
There are other bugs you don't need to care about in this case:
- timing side channels
- most information leaks
- insecure algorithms
- DoS
- weak RNG
But just because the scanner use case isn't affected by these types of bugs doesn't mean you can skip security updates for this altogether. What is true is that the maintenance burden is somewhat lower. (OTOH one needs to be able to judge whether each specific vulnerability affects this or not, which also isn't entirely trivial )
>and having tools like
>sslscan readily available in Debian is greatly beneficial for security.
ACK on this front, I find sslscan very useful myself.
Regards,
Christian
Reply to: