Re: CVE-2009-3555 not addressed in OpenSSL
Yves-Alexis Perez <email@example.com> writes:
> On mar., 2010-09-28 at 17:58 -0500, Jordon Bedwell wrote:
>> On 09/28/2010 03:04 PM, Marsh Ray wrote:
>> > On 09/24/2010 02:45 AM, Simon Josefsson wrote:
>> > But that's a choice made by Debian. Call it release policy, procedure,
>> > or whatever, Debian cannot use the existence of its own bureaucracy as a
>> > justification for wrong action (or inaction).
>> > Microsoft has implemented the correct fix for this security bug,
>> > Debian has not implemented the correct fix for this security bug.
>> It intrigues me to know that even with a new stable coming soon we still
>> won't see a proper fix. With patches being available to vendors for so
>> long I'm starting to wonder why it wasn't on the to-do list from the
>> start as a /possible/ rerun and *must* fix on Squeeze.
> Well, who uses gnuTLS as the server anyway?
Exim uses GnuTLS, and at least in lenny it was the default MTA.
However I looked at how Exim uses GnuTLS a long time ago, and it is not
directly vulnerable. Almost all servers that were using GnuTLS was not
vulnerable, because of how GnuTLS handles renegotiation. However by not
supporting the new TLS extension, clients have no way of knowing whether
the server is insecure or not. That is a problem, but it is borderline
between a security problem and an interoperability problem.