Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

To: Reco <recoverym4n@gmail.com>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
From: Michael Grant <mgrant@grant.org>
Date: Thu, 7 Sep 2017 22:50:00 +0100
Message-id: <[🔎] CAJCaPNTrhNLrm4QKpvrCP1yYwQ9-A_KOmB4fz_vgSnA4w3xKbw@mail.gmail.com>
In-reply-to: <[🔎] 20170907142309.6p7itnky2wjbwhcx@e1030>
References: <04g86e-9f2.ln1@anthive.com> <c08b6e-072.ln1@anthive.com> <[🔎] CAJCaPNT19F+d-s-FPDHo_nE+6+FxhSRgiwS7J0WZ6eamQYyr=w@mail.gmail.com> <[🔎] 201709051415.11273.gheskett@shentel.net> <[🔎] CAJCaPNQumS1CkxO4MSdOHpkJ_EhE7RSdtgBMyG+s3NuLKoZHxg@mail.gmail.com> <[🔎] 1dppq9p10spvv8@mids.svenhartge.de> <[🔎] 20170906075709.GB17792@tuxteam.de> <[🔎] 20170906150116.ebi5o33bvqw73z3g@e1030> <[🔎] 20170906185753.GB8338@tuxteam.de> <[🔎] 20170907142309.6p7itnky2wjbwhcx@e1030>

Nifty, been a while since I used the LD_PRELOAD trick myself.

This whole thing has been bothering me over the last couple days.  Why
are so few people having this issue?  18 or so posts on this, only 3
or so of us have done anything about this.  I backed out libssl (and
pinned it).  Reco makes a LD_PRELOAD hack.  Sven recompiles OpenSSL
with patch removed.

Did this or will this patch get into Stretch Stable yet as a security
patch?  If yes, then won't there be hundreds if not thousands of
people screaming about this?

I am wondering why it's so few of us who seem to be affected?  I
suspect it's because 1) we're running Debian Testing and most of the
Debian world runs Stable, 2) more and more people are turning to gmail
and outlook.com instead of running their own mail servers and 3) the
few remaining people who do go to the trouble of using Debian Testing
as a mail server probably wouldn't care that much about getting TLS
set up with imap/pop/smtp working at all.

If this patch won't go to Stretch as a security fix, then the world is
hidden from this until Buster comes out in about 2 years.

But what's going to happen if there is some other security fix which
is needed in Stretch's libssl1.1 (1.1.0f-3)?  Will there be some fork
of this library for Stretch without this patch?  Or will at that time
this patch get swept in with some other future security patch and the
hit the wild with Stretch stable + security patches?

By pinning this library at 1.1.0f-3 on my system, I feel somehow I've
done the wrong thing.  I started to think I should put in Reco's hack
until these Windows 7 and Mac 10.11 users move to more modern releases
or MS and Apple send out patches for their older stuff.  Or maybe I
should follow Stretch (and it's security fixes) for only this package
instead of pinning it to this version.

And by the way, this isn't just limited to mail clients.  It's also
affecting MTAs.  I see a large number of mail servers connecting to my
server that only do TLSv1 and TLSv1.1.  When they can't do TLS, I
think they just fall back to SMTP in the clear.  So the problem isn't
obvious to any user and mail in general is just less secure.

In doing some reading about TLS and it's problems, there are problems
with TLSv1 and I understand those were fixed in Debian's libssl1.
TlSv1.1 had some problems but were more minor and the move to 1.2
seemed more about enhancing security versus some removing design
flaws.  Clearly the vendors like Microsoft and Apple did not think it
critical to move away from TLSv1 and TLS1.1 and probably patched it
like Debian.  Hence they consider their versions of TLSv1 and TLSv1.1
safe enough.

While I am totally sympathetic to getting the world onto TLSv1.2 and
greater, this seems like a support disaster waiting to happen.

What is the right way for an admin to handle this problem on Debian Testing?

Reply to:

Follow-Ups:
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Reco <recoverym4n@gmail.com>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Sven Hartge <sven@svenhartge.de>

References:
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Michael Grant <mgrant@grant.org>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Gene Heskett <gheskett@shentel.net>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Michael Grant <mgrant@grant.org>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Sven Hartge <sven@svenhartge.de>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: <tomas@tuxteam.de>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Reco <recoverym4n@gmail.com>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: <tomas@tuxteam.de>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: This is weird (cross-posted to Tomcat and Debian Lists): Tomcat 8.5 is going to /var/lib/tomcat7/webapps/ROOT
Next by Date: Re: Debian v9 it's a stretch
Previous by thread: Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
Next by thread: Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
Index(es):
- Date
- Thread