[Pkg-openssl-devel] [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

Kees Cook kees at ubuntu.com
Tue May 20 16:33:34 UTC 2008


Hi Christoph,

On Tue, May 20, 2008 at 05:56:56PM +0200, Christoph Martin wrote:
> Alberto Gonzalez Iniesta schrieb:
> > The package is being build by its original author (Jamie) and everything
> > got started when the OpenVPN maintainer (me) decided to add secret/key
> > file validation like the one on the Ubuntu package. Since those
> > validations required open(ssl|vpn)-blacklist packages, I contacted with
> > Jamie and Kees from Ubuntu and Debian's Security Team. 
> 
> So, you are building openvpn-blacklist and openssl-blacklist for Debian?
> If you are also building openssl-blacklist, please cc all messages about
> it to pkg-openssl-devel at lists.alioth.debian.org, so that we have a
> chance to participate.

Hi!  Yes, I was intending to do an upload -- sorry for the lack of
coordination.  Things have been rather hectic.  Jamie Strandboge has
updates to the scripts and the blacklists (which we are publishing to
Ubuntu stable security updates shortly).

> It would have been nice to hear earlier from you, because I am just in
> the process of building a openssl-blacklist package myself too. I did an
> ITP and wanted to upload the package to unstable soon.
> 
> At the moment it is just the ubuntu package with the depends and
> maintainer changed. It only includes the 1024 and 2048 RSA keys. The
> goal should be to have eventually a package containing all the
> vulnerable key hashes up to 4096bits and with the variations which come
> in if you are on 32bit or 64bit, little or big endian, if you have .rnd
> or not, etc.

Certainly.  I'd like to split "openssl-blacklist" binary package
(default key sizes) from "openssl-blacklist-extra" (uncommon key sizes),
as has been done in openssh-blacklist.

Is there already a svn for openssl-blacklist?  If I could be added to
that project ('keescook-guest' on alioth) and the Uploaders list, I'd be
happy to help with the package, and help get Jamie's changes into Debian.

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team



More information about the Pkg-openssl-devel mailing list