Re: CVE-2009-3555 not addressed in OpenSSL

[Jordon Bedwell <jordon@envygeeks.com>]

On 09/29/2010 03:52 PM, Michael Gilbert wrote:
> On Tue, 28 Sep 2010 15:04:04 -0500, Marsh Ray wrote:
> > On 09/24/2010 02:45 AM, Simon Josefsson wrote:
> > > Marsh Ray<marsh@extendedsubset.com>   writes:
> > >
> > > > As a long-term Debian user myself, I appeal to Debian's sense of
> > > > enlightened self-interest and urge that RFC 5746 support be backported
> > > > to stable.
> > >
> > > FWIW, the latest stable GnuTLS version with RFC 5746 support is not even
> > > in testing, so it won't be part of even the next stable.  It may be too
> > > late for that in the release cycle though...
> >
> > But that's a choice made by Debian. Call it release policy, procedure,
> > or whatever, Debian cannot use the existence of its own bureaucracy as a
> > justification for wrong action (or inaction).
> >
> > As you certainly know Simon, great effort has been expended by many
> > people over the course of the last year to develop and deploy
> > industry-wide a backwards-compatible protocol fix in record time. To
> > this end, minor version updates and source patches to all major
> > open-source implementations were provided to library users and distros.
> > Under these circumstances, I contend that it is wrong for Debian to
> > withhold these security fixes from its installed base.
> >
> > Web browsers are now warning users about unpatched servers. Server
> > admins who run Debian are left without a packaged solution.
> > Consequently, their users are unable to configure their client
> > applications to strict (more secure) mode and client applications must
> > ship with the less secure default settings.
> >
> > These facts remain:
> >
> > Opera has implemented the correct fix for this security bug,
> > Microsoft has implemented the correct fix for this security bug,
> > Mozilla has implemented the correct fix for this security bug,
> > OpenSSL has implemented the correct fix for this security bug,
> > IBM Java has implemented the correct fix for this security bug,
> > GNUTLS has implemented the correct fix for this security bug,
> > Google has implemented the correct fix for this security bug,
> > RedHat has implemented the correct fix for this security bug,
> > Ubuntu has implemented the correct fix for this security bug,
> > ...yet...
> > Debian has not implemented the correct fix for this security bug.
>
> Debian, being a volunteer organization, has it's upsides and
> downsides.  The downside here being without an active volunteer
> interested in this problem, nothing has happened.
>
> What is needed here is someone to step up to the plate: file some bugs;
> try to find the patches; backport and test them; etc.  Bottom line,
> a little work and communication with maintainers of the affected
> packages would go a long way toward resolving this.
>
> Best wishes,
> Mike

There is a bug against openssl and mod_ssl for apache already they 
simply just block renegotiation (unless they did a better patch later 
that I don't recall seeing) and one was challenged (if I remember right 
openssl) because it was missing something. Personally I had assumed 
Debian of all people would be on  the ball with this so I never double 
backed to check and see if they patched it properly but I remember 
everything just being block block block and not fix fix fix for real.