Re: CVE-2009-3555 not addressed in OpenSSL

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Wed, 29 Sep 2010 14:13:37 -0700, Kyle Bader wrote:
> > Debian, being a volunteer organization, has it's upsides and
> > downsides.  The downside here being without an active volunteer
> > interested in this problem, nothing has happened.
> >
> > What is needed here is someone to step up to the plate: file some bugs;
> > try to find the patches; backport and test them; etc.  Bottom line,
> > a little work and communication with maintainers of the affected
> > packages would go a long way toward resolving this.
> 
> That was my initial goal in initiating this conversation.  I provided
> a link to the patches already:
> 
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/jaunty/openssl/jaunty-proposed/revision/34
> 
> I installed the jaunty package on my lenny machines and the ff error
> console warning is gone:
> 
> https://debian-lenny.badercom.net/
> 
> It appears to work but whenever a package as critical as openssl is
> modified it's important to have upstream take a look to make sure
> everything looks good.  Ubuntu may or may not have done this, I
> haven't done the leg work to figure that out but it looks like that
> could be the next step.  If I/we/whoever can verify this or gain the
> blessing of upstream would you consider updating the package Kurt if I
> also coordinate this with the Debian apache and nginx packagers?

I could have sworn that renegotion in lenny's openssl was disabled.
But according to the changelog, that looks to not be the case [0].
Based on that, I agree that a DSA should be issued.

Mike

[0]
http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_0.9.8g-15+lenny8/changelog