[Pkg-openssl-devel] debian stable and CVE-2009-3555 (TLS Renegoatiation flaw): Any recommendation to lenny openssl users?
gmx
ralfhauser at gmx.ch
Tue Dec 1 04:35:11 UTC 2009
Hi Stefan,
Thanks for your quick response.
> -----Original Message-----
> From: Stefan Fritsch [mailto:sf at debian.org]
> Sent: Montag, 30. November 2009 23:40
> To: hauser at acm.org
> Cc: pkg-openssl-devel at lists.alioth.debian.org; lamont at debian.org;
> team at security.debian.org
> Subject: Re: [Pkg-openssl-devel] debian stable and CVE-2009-3555 (TLS
> Renegoatiation flaw): Any recommendation to lenny openssl users?
>
> On Monday 30 November 2009, gmx wrote:
> > To whom it may concern,
> >
> > As per
> > http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2009-Nov
> > ember/002 265.html etc. there appears to be a solution fro the TLS
> > Renegotiation problem for "unstable".
> >
> > For example with postfix, the newer openssl only appears to fix the
> > renegotiation problem not to break anything else
> > (http://marc.info/?l=postfix-users&m=125926682723944&w=2).
> >
> > Since this is a serious security issue - my questions:
> > 1) will there be an upgrade soon for openssl?
> The "fix" used in the new openssl version (i.e. completely disabling
> reneg) breaks some applications. At least some complex apache setups,
> tor, and stunnel are affected, but there are probably others.
> Therefore I don't think that backporting that patch to stable is a
> sensible option. We are still hoping that there will be a protocol
> level fix that can be integrated in the ssl libraries.
Rescorla et. al did propose
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotia
te.txt but such implementation takes months if not years until the majority
of clients is ready to use that too. I hope the security team doesn't just
recommend the debian-stable-users to leave the hole open for exploitation
until then, in particular those who are not using stunnel, tor, etc. but
postfix and other important infrastructure that can live well with the
patch?
I have no problem to use a special "apt-get install openssl-reneg-disabled"
that obviously wouldn't be executed by those whose tor or stunnel, etc.
would break...
>
> > 2) or at least a branch we could update our openssl without a non
> > apt-get installation?
> >
> > It appears that in other packages, things moved quite quickly:
> > http://lists.debian.org/debian-security-announce/2009/msg00257.html
> >
> > Any hints would be highly appreciated.
>
>
> Stefan
Regards
Ralf
More information about the Pkg-openssl-devel
mailing list