Bug#482023: new generated keys are vulnerable
Florian Weimer wrote:
> * Uwe Kleine-König:
>
> > The problem is that my system has a libssl from testing
> > (i.e. 0.9.8g-8).
>
> Yeah, there isn't a good way to deal with that, especially as soon as
> backports and locally built packages are involved.
>
> debsecan and the security tracker try to deal with this, but they can't
> handle backports, either (but they tend to give false positives in that
> case).
>
> > Maybe openssh-server should conflict with the vulnerable versions of
> > libssl?
>
> The list is pretty long, so this is hardly feasible.
OK.
> > Or the newly generated keys should be checked resulting in a warning
> > if they are still vulnerable.
>
> That's probably a good idea.
>
> > A fixed libssl version for testing-proposed-updated would be
> > great, too. (But this it OT for this report.)
>
> testing has received the fixed version on 2008-05-11. There's no need
> to involve testing-proposed-updates.
You're right. I saw that I got a new openssl after I installed the
security updates and already thought that this part of my report is
obsolete. As usual that happend after sending the report :-(
Best regards
Uwe
--
Uwe Kleine-König, Software Engineer
Digi International GmbH Branch Breisach, Küferstrasse 8, 79206 Breisach, Germany
Tax: 315/5781/0242 / VAT: DE153662976 / Reg. Amtsgericht Dortmund HRB 13962
Reply to: