Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

To: debian-security@lists.debian.org
Subject: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
From: "Bernhard R. Link" <brlink@debian.org>
Date: Wed, 9 Apr 2014 23:34:26 +0200
Message-id: <[🔎] 20140409213424.GA15025@client.brlink.eu>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] CAKS89Gr-f8RTZ7aFpsQ4cxhf1ung0p860WWb=rKucYtvryGLZg@mail.gmail.com>
References: <[🔎] slrnlk87b1.frm.fredrik@biggles.jonson.org> <[🔎] li3868$q27$1@ger.gmane.org> <[🔎] cd338aaf511bed43638be1ac3f6a9ccb@zom.bi> <[🔎] 201404091338.29845.vladislav.kurz@webstep.net> <[🔎] 20140409131404.DD3311DC@bendel.debian.org> <[🔎] CAKS89Gr-f8RTZ7aFpsQ4cxhf1ung0p860WWb=rKucYtvryGLZg@mail.gmail.com>

* Jeremie Marguerie <jeremie@marguerie.org> [140409 15:28]:
> Yes the private keys can be compromised, but the perfect secrecy
> should ensure that unless someone was doing an active MITM and had the
> private key, the communications were safe.

As the communication was part of the data transported with the ssl
library those communication might have also been read via the
vulnerability in question.

The only think PFS gives you is that someone recording the encrypted
traffic (i.e. being able to control some router between you and that
host) and getting the private key (e.g. via this vulnerability) would
not be able to decrypt this data (unless of course there is weak randomness
on one of the two sides, in which case PFS as implemented in SSL
does not even need you to get the private key).

While the vulnerability means that anyone could have read data running
over this server by just being able to open a tcp connection there,
without any wiretapping, man in the middle or anything else special.

	Bernhard R. Link
-- 
F8AC 04D5 0B9B 064B 3383  C3DA AFFC 96D1 151D FFDC

Reply to:

References:
- DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Fredrik Jonson <fredrik@jonson.org>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Rob van der Putten <rob@sput.nl>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: bsod <bsod@zom.bi>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Artikel-140 <info@artikel-140.nl>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Jeremie Marguerie <jeremie@marguerie.org>

Prev by Date: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Next by Date: Re: [SECURITY] [DSA 2896-1] openssl security update
Previous by thread: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Next by thread: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Index(es):
- Date
- Thread