Re: CVE-2009-3555 not addressed in OpenSSL

To: Florian Weimer <fw@deneb.enyo.de>
Cc: Marsh Ray <marsh@extendedsubset.com>, debian-security@lists.debian.org
Subject: Re: CVE-2009-3555 not addressed in OpenSSL
From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 21 Oct 2010 13:40:51 +0200
Message-id: <[🔎] 87pqv3g4e4.fsf@mocca.josefsson.org>
In-reply-to: <[🔎] 87bp6odnwf.fsf@mid.deneb.enyo.de> (Florian Weimer's message of "Thu, 21 Oct 2010 09:07:44 +0200")
References: <4C9B95A7.9080800@extendedsubset.com> <87sk0z37qt.fsf@mocca.josefsson.org> <[🔎] 87bp6odnwf.fsf@mid.deneb.enyo.de>

Florian Weimer <fw@deneb.enyo.de> writes:

> * Simon Josefsson:
>
>> FWIW, the latest stable GnuTLS version with RFC 5746 support is not
>> even in testing, so it won't be part of even the next stable.
>
> What would be required to get a backport of RFC 5746 support into the
> current stable (considering that we do not want to incorporate too
> many unrelated changes)?

Someone to move the changes from the 2.10.x branch back on to 2.8.x, and
to make sure it is working properly.  There are self tests to check that
a backport is working:

http://git.savannah.gnu.org/cgit/gnutls.git/tree/tests/safe-renegotiation

The new API to query whether the extension is negotiated or not is also
needed, but that shouldn't cause any problems as far as I can see.  A
binary using the new API wouldn't work with the original gnutls in
stable, though, but I think that is an acceptable price?

/Simon

Reply to:

Follow-Ups:
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Marsh Ray <marsh@extendedsubset.com>

References:
- Re: CVE-2009-3555 not addressed in OpenSSL
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Next by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Previous by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Next by thread: Re: CVE-2009-3555 not addressed in OpenSSL
Index(es):
- Date
- Thread