[Pkg-openssl-devel] debian stable and CVE-2009-3555 (TLS Renegoatiation flaw): Any recommendation to lenny openssl users?

[Noah Meyerhans]

On Tue, Dec 01, 2009 at 05:35:11AM +0100, gmx wrote:
> > > 1) will there be an upgrade soon for openssl?
> > The "fix" used in the new openssl version (i.e. completely disabling
> > reneg) breaks some applications. At least some complex apache setups,
> > tor, and stunnel are affected, but there are probably others.
> > Therefore I don't think that backporting that patch to stable is a
> > sensible option. We are still hoping that there will be a protocol
> > level fix that can be integrated in the ssl libraries.
> Rescorla et. al did propose
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotia
> te.txt but such implementation takes months if not years until the majority
> of clients is ready to use that too. I hope the security team doesn't just
> recommend the debian-stable-users to leave the hole open for exploitation
> until then, in particular those who are not using stunnel, tor, etc. but
> postfix and other important infrastructure that can live well with the
> patch?

And some apps (IE6, for example) aren't likely to ever get fixed.
However, these apps are going to break regardless of the fix deployed by
Debian, so we don't need to wait "months if not years" for the fix to be
available everywhere.  The protocol change has already gone to "last
call" in the IETF working group, and code exists to implement the draft
fix in all three major SSL implementations in Debian.  So I don't think
the final fix is as far off as you do.

noah

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20091201/713506db/attachment.pgp>