Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
OoO En ce début d'après-midi nuageux du mardi 13 mai 2008, vers 14:06,
Florian Weimer <fw@deneb.enyo.de> disait:
> Package : openssl
> Vulnerability : predictable random number generator
Some other random questions:
- It seems that firefox does not handle CRL unless manually imported,
correct? This means that in most cases already issued certificates
are still vulnerable even revoked. A quick look seems to show that
most software do not handle CRL at all.
- As a maintainer of a package that have generated certificates using
OpenSSL, how should we handle the issue?
For the last question, I see several solutions:
- the user has to read the DSA and handle it himself
- an helper package will be provided and each package should register
key locations (in a bug report against the package for example);
those keys will be checked and the user will be warned about weak
keys. Moreover, each package will generate a short help message
explaining how to regenerate keys. This helper package will be
shipped in security and uploaded with a libssl depending on it
- the helper package can also be used directly by the package that
should call some magic function in postinst ; the bad news with this
approach is that we should upload a security release for each
impacted package.
Any thoughts?
--
panic("IRQ, you lose...");
2.2.16 /usr/src/linux/arch/mips/sgi/kernel/indy_int.c
Reply to: