Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

[Vincent Bernat <bernat@luffy.cx>]

OoO En ce  début d'après-midi nuageux du mardi 13  mai 2008, vers 14:06,
Florian Weimer <fw@deneb.enyo.de> disait:

> Package        : openssl
> Vulnerability : predictable random number generator

Some other random questions:
 - It seems  that firefox does not handle  CRL unless manually imported,
   correct? This  means that in  most cases already  issued certificates
   are still  vulnerable even revoked. A  quick look seems  to show that
   most software do not handle CRL at all.
 - As a  maintainer of a package that  have generated certificates using
   OpenSSL, how should we handle the issue?

For the last question, I see several solutions:
 - the user has to read the DSA and handle it himself
 - an helper package  will be provided and each  package should register
   key  locations (in  a bug  report against  the package  for example);
   those keys  will be checked  and the user  will be warned  about weak
   keys.  Moreover, each  package  will generate  a  short help  message
   explaining  how  to regenerate  keys.  This  helper  package will  be
   shipped in security and uploaded with a libssl depending on it
 - the  helper package  can also  be used directly  by the  package that
   should call some magic function in  postinst ; the bad news with this
   approach  is  that we  should  upload  a  security release  for  each
   impacted package.

Any thoughts?
-- 
panic("IRQ, you lose...");
	2.2.16 /usr/src/linux/arch/mips/sgi/kernel/indy_int.c