[Pkg-openssl-devel] debian stable and CVE-2009-3555 (TLS Renegoatiation flaw): Any recommendation to lenny openssl users?
Stefan Fritsch
sf at debian.org
Mon Nov 30 22:40:20 UTC 2009
On Monday 30 November 2009, gmx wrote:
> To whom it may concern,
>
> As per
> http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2009-Nov
> ember/002 265.html etc. there appears to be a solution fro the TLS
> Renegotiation problem for "unstable".
>
> For example with postfix, the newer openssl only appears to fix the
> renegotiation problem not to break anything else
> (http://marc.info/?l=postfix-users&m=125926682723944&w=2).
>
> Since this is a serious security issue - my questions:
> 1) will there be an upgrade soon for openssl?
The "fix" used in the new openssl version (i.e. completely disabling
reneg) breaks some applications. At least some complex apache setups,
tor, and stunnel are affected, but there are probably others.
Therefore I don't think that backporting that patch to stable is a
sensible option. We are still hoping that there will be a protocol
level fix that can be integrated in the ssl libraries.
> 2) or at least a branch we could update our openssl without a non
> apt-get installation?
>
> It appears that in other packages, things moved quite quickly:
> http://lists.debian.org/debian-security-announce/2009/msg00257.html
>
> Any hints would be highly appreciated.
Stefan
More information about the Pkg-openssl-devel
mailing list