Re: CVE-2009-3555 not addressed in OpenSSL

To: debian-security@lists.debian.org
Subject: Re: CVE-2009-3555 not addressed in OpenSSL
From: Marsh Ray <marsh@extendedsubset.com>
Date: Tue, 28 Sep 2010 15:04:04 -0500
Message-id: <[🔎] 4CA24A34.5000003@extendedsubset.com>
In-reply-to: <[🔎] 87sk0z37qt.fsf@mocca.josefsson.org>
References: <[🔎] 4C9B95A7.9080800@extendedsubset.com> <[🔎] 87sk0z37qt.fsf@mocca.josefsson.org>

On 09/24/2010 02:45 AM, Simon Josefsson wrote:

Marsh Ray<marsh@extendedsubset.com>  writes:

As a long-term Debian user myself, I appeal to Debian's sense of
enlightened self-interest and urge that RFC 5746 support be backported
to stable.


FWIW, the latest stable GnuTLS version with RFC 5746 support is not even
in testing, so it won't be part of even the next stable.  It may be too
late for that in the release cycle though...

But that's a choice made by Debian. Call it release policy, procedure,or whatever, Debian cannot use the existence of its own bureaucracy as ajustification for wrong action (or inaction).

As you certainly know Simon, great effort has been expended by manypeople over the course of the last year to develop and deployindustry-wide a backwards-compatible protocol fix in record time. Tothis end, minor version updates and source patches to all majoropen-source implementations were provided to library users and distros.Under these circumstances, I contend that it is wrong for Debian towithhold these security fixes from its installed base.

Web browsers are now warning users about unpatched servers. Serveradmins who run Debian are left without a packaged solution.Consequently, their users are unable to configure their clientapplications to strict (more secure) mode and client applications mustship with the less secure default settings.


These facts remain:

Opera has implemented the correct fix for this security bug,
Microsoft has implemented the correct fix for this security bug,
Mozilla has implemented the correct fix for this security bug,
OpenSSL has implemented the correct fix for this security bug,
IBM Java has implemented the correct fix for this security bug,
GNUTLS has implemented the correct fix for this security bug,
Google has implemented the correct fix for this security bug,
RedHat has implemented the correct fix for this security bug,
Ubuntu has implemented the correct fix for this security bug,
...yet...
Debian has not implemented the correct fix for this security bug.

- Marsh

Reply to:

Follow-Ups:
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Jordon Bedwell <jordon@envygeeks.com>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

References:
- Re: Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Marsh Ray <marsh@extendedsubset.com>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Next by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Previous by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Next by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Index(es):
- Date
- Thread