Preliminary statement on OpenSSL signature verification API misuse (CVE-2008-5077)

To: debian-security@lists.debian.org
Subject: Preliminary statement on OpenSSL signature verification API misuse (CVE-2008-5077)
From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 08 Jan 2009 10:47:26 +0100
Message-id: <[🔎] 873afudt8x.fsf@mid.deneb.enyo.de>

We are delaying the OpenSSL update because we want to make sure that
we only have to release one update, and not two or more.  There are
some open questions surrounding the various advisories.  As you might
have noticed, the published information is somewhat inconsistent.

Regarding the impact, note that the advisory from OpenSSL

  <http://openssl.org/news/secadv_20090107.txt>

explicitly states that verification of client certificates on the
server side is not affected.  On the client side, some Debian packages
do not use OpenSSL for their TLS support (notably Iceweasel).
KDE/Konqueror and wget appear to be affected by this issue, though.

Several parties have verified that OpenSSH uses the relevant OpenSSL
API correctly, even when using DSA keys.

Reply to:

Prev by Date: Re: Scalable Debian vulnerability tracking [REDUX]
Next by Date: Freeze exceptions for iceape/iceweasel/xulrunner?
Previous by thread: suscribe
Next by thread: Freeze exceptions for iceape/iceweasel/xulrunner?
Index(es):
- Date
- Thread