Re: CVE-2009-3555 not addressed in OpenSSL
- To: Kyle Bader <kyle.bader@gmail.com>
- Cc: debian-security@lists.debian.org
- Subject: Re: CVE-2009-3555 not addressed in OpenSSL
- From: Kurt Roeckx <kurt@roeckx.be>
- Date: Thu, 11 Nov 2010 19:43:33 +0100
- Message-id: <[🔎] 20101111184333.GA31740@roeckx.be>
- In-reply-to: <20100930222631.GA3233@roeckx.be>
- References: <4C9B95A7.9080800@extendedsubset.com> <87sk0z37qt.fsf@mocca.josefsson.org> <4CA24A34.5000003@extendedsubset.com> <20100929165222.34d3e611.michael.s.gilbert@gmail.com> <AANLkTikisdrZ91BoVR2_EEBmHONYK+15PRAfbeuN17qC@mail.gmail.com> <20100930222631.GA3233@roeckx.be>
On Fri, Oct 01, 2010 at 12:26:31AM +0200, Kurt Roeckx wrote:
> On Wed, Sep 29, 2010 at 02:13:37PM -0700, Kyle Bader wrote:
> > > Debian, being a volunteer organization, has it's upsides and
> > > downsides. The downside here being without an active volunteer
> > > interested in this problem, nothing has happened.
> > >
> > > What is needed here is someone to step up to the plate: file some bugs;
> > > try to find the patches; backport and test them; etc. Bottom line,
> > > a little work and communication with maintainers of the affected
> > > packages would go a long way toward resolving this.
> >
> > That was my initial goal in initiating this conversation. I provided
> > a link to the patches already:
> >
> > http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/jaunty/openssl/jaunty-proposed/revision/34
>
> I seem to have missed that part in your original mail, and was not
> aware of anybody that tried to backport the changes.
So I've prepared a package based on the ubuntu patch. I also went
over every commit between the 0.9.8l and 0.9.8m release and am
reasonly confident this patch should work properly.
The current package is available at:
http://people.debian.org/~kroeckx/openssl/rfc5746/
I would welcome people testing it. Note that it might still
change based on feedback from people.
Kurt
Reply to: