Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

To: debian-user-german@lists.debian.org
Subject: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
From: Sven Joachim <svenjoac@gmx.de>
Date: Tue, 13 May 2008 22:21:05 +0200
Message-id: <[🔎] 873aomuf9q.fsf@gmx.de>
Mail-followup-to: debian-user-german@lists.debian.org
In-reply-to: <[🔎] 200805132147.32116.jluehr@gmx.net> (Jan Luehr's message of "Tue, 13 May 2008 21:47:31 +0200")
References: <87od7az9v4.fsf@mid.deneb.enyo.de> <[🔎] 20080513192253.GA4178@denkbrett.wiegand.homedns.org> <[🔎] 87d4nqknhh.fsf@mid.deneb.enyo.de> <[🔎] 200805132147.32116.jluehr@gmx.net>

Am 13.05.2008 um 21:47 schrieb Jan Luehr:

> Stimmt diese Aussage hier (http://www.links.org/?p=327) soweit?
> »Two years ago, they “fixed” a “problem” in OpenSSL reported by valgrind[1] by 
> removing any possibility of adding any entropy to OpenSSL’s pool of 
> randomness[2]. «

Das stimmt, siehe http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516.

> weiterhin heißt es
> »Firstly, vendors should not be fixing problems (or, really, anything) in open 
> source packages by patching them locally - they should contribute their 
> patches upstream to the package maintainers. Had Debian done this in this 
> case, we (the OpenSSL Team) would have fallen about laughing, and once we had 
> got our breath back, told them what a terrible idea this was. But no, it 
> seems that every vendor wants to “add value” by getting in between the user 
> of the software and its author.«

Das stimmt so nicht, denn der Debian-Maintainer hat auf der openssl-dev
Mailingliste vorher nachgefragt:
http://marc.info/?l=openssl-dev&m=114651085826293&w=2.

Die Antworten waren keineswegs Gelächter, soweit ich sehe.

Sven

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: "Sven Hoexter" <sven@timegate.de>
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: Jan Luehr <jluehr@gmx.net>

References:
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: Wolf Wiegand <wolf@kondancemilch.de>
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
  - From: Jan Luehr <jluehr@gmx.net>

Prev by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by Date: remote desktop
Previous by thread: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by thread: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Index(es):
- Date
- Thread