[Pkg-openssl-devel] Re: openssl RSA Signature Forgery
(CVE-2006-4339)
Kurt Roeckx
kurt at roeckx.be
Tue Sep 5 20:28:21 UTC 2006
On Tue, Sep 05, 2006 at 09:41:40PM +0200, Kurt Roeckx wrote:
> On Tue, Sep 05, 2006 at 03:07:03PM -0400, Noah Meyerhans wrote:
> > > I will be uploading packages with the patch provided by upstream to
> > > unstable soon.
>
> The libssl postinst has a script to detect packages that are known to
> use libssl and have a daemon, so they can be restarted. I've activated
> the script for upgrades to 0.9.8b-3. Afaik, this will fail with the
> 0.9.7 (and older) versions because the script was broken.
>
> I suggest you just put in your advisory that some daemons need to be
> restarted.
This of course also affects other things that might be affected, like
webbrowers (links), irc clients (xchat, irssi, ...), and a full list
will probably be too much to mention in the advisory. It's a good idea
to restart everything that is linked against libssl/libcrypto.
(libssl and libcrypto are both in the libssl binary package.)
Kurt
More information about the Pkg-openssl-devel
mailing list