Re: CVE-2009-3555 not addressed in OpenSSL

To: debian-security@lists.debian.org
Subject: Re: CVE-2009-3555 not addressed in OpenSSL
From: Jordon Bedwell <jordon@envygeeks.com>
Date: Tue, 28 Sep 2010 17:58:02 -0500
Message-id: <[🔎] 4CA272FA.2060606@envygeeks.com>
In-reply-to: <[🔎] 4CA24A34.5000003@extendedsubset.com>
References: <[🔎] 4C9B95A7.9080800@extendedsubset.com> <[🔎] 87sk0z37qt.fsf@mocca.josefsson.org> <[🔎] 4CA24A34.5000003@extendedsubset.com>

On 09/28/2010 03:04 PM, Marsh Ray wrote:

On 09/24/2010 02:45 AM, Simon Josefsson wrote:
But that's a choice made by Debian. Call it release policy, procedure,
or whatever, Debian cannot use the existence of its own bureaucracy as a
justification for wrong action (or inaction).

Microsoft has implemented the correct fix for this security bug,
Debian has not implemented the correct fix for this security bug.

It intrigues me to know that even with a new stable coming soon we stillwon't see a proper fix. With patches being available to vendors for solong I'm starting to wonder why it wasn't on the to-do list from thestart as a /possible/ rerun and *must* fix on Squeeze.

Reply to:

Follow-Ups:
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Re: Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Marsh Ray <marsh@extendedsubset.com>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Simon Josefsson <simon@josefsson.org>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Marsh Ray <marsh@extendedsubset.com>

Prev by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Next by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Previous by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Next by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Index(es):
- Date
- Thread