Re: CVE-2009-3555 not addressed in OpenSSL

To: debian-security@lists.debian.org
Subject: Re: CVE-2009-3555 not addressed in OpenSSL
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Wed, 29 Sep 2010 16:52:22 -0400
Message-id: <[🔎] 20100929165222.34d3e611.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 4CA24A34.5000003@extendedsubset.com>
References: <[🔎] 4C9B95A7.9080800@extendedsubset.com> <[🔎] 87sk0z37qt.fsf@mocca.josefsson.org> <[🔎] 4CA24A34.5000003@extendedsubset.com>

On Tue, 28 Sep 2010 15:04:04 -0500, Marsh Ray wrote:
> On 09/24/2010 02:45 AM, Simon Josefsson wrote:
> > Marsh Ray<marsh@extendedsubset.com>  writes:
> >
> >> As a long-term Debian user myself, I appeal to Debian's sense of
> >> enlightened self-interest and urge that RFC 5746 support be backported
> >> to stable.
> >
> > FWIW, the latest stable GnuTLS version with RFC 5746 support is not even
> > in testing, so it won't be part of even the next stable.  It may be too
> > late for that in the release cycle though...
> 
> But that's a choice made by Debian. Call it release policy, procedure, 
> or whatever, Debian cannot use the existence of its own bureaucracy as a 
> justification for wrong action (or inaction).
> 
> As you certainly know Simon, great effort has been expended by many 
> people over the course of the last year to develop and deploy 
> industry-wide a backwards-compatible protocol fix in record time. To 
> this end, minor version updates and source patches to all major 
> open-source implementations were provided to library users and distros. 
> Under these circumstances, I contend that it is wrong for Debian to 
> withhold these security fixes from its installed base.
> 
> Web browsers are now warning users about unpatched servers. Server 
> admins who run Debian are left without a packaged solution. 
> Consequently, their users are unable to configure their client 
> applications to strict (more secure) mode and client applications must 
> ship with the less secure default settings.
> 
> These facts remain:
> 
> Opera has implemented the correct fix for this security bug,
> Microsoft has implemented the correct fix for this security bug,
> Mozilla has implemented the correct fix for this security bug,
> OpenSSL has implemented the correct fix for this security bug,
> IBM Java has implemented the correct fix for this security bug,
> GNUTLS has implemented the correct fix for this security bug,
> Google has implemented the correct fix for this security bug,
> RedHat has implemented the correct fix for this security bug,
> Ubuntu has implemented the correct fix for this security bug,
> ...yet...
> Debian has not implemented the correct fix for this security bug.

Debian, being a volunteer organization, has it's upsides and
downsides.  The downside here being without an active volunteer
interested in this problem, nothing has happened.

What is needed here is someone to step up to the plate: file some bugs;
try to find the patches; backport and test them; etc.  Bottom line,
a little work and communication with maintainers of the affected
packages would go a long way toward resolving this.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Jordon Bedwell <jordon@envygeeks.com>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Kyle Bader <kyle.bader@gmail.com>

References:
- Re: Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Marsh Ray <marsh@extendedsubset.com>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Simon Josefsson <simon@josefsson.org>
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Marsh Ray <marsh@extendedsubset.com>

Prev by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Next by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Previous by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Next by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Index(es):
- Date
- Thread