[Pkg-openssl-devel] Bug#684527: Bug#684527: openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Kurt Roeckx
kurt at roeckx.be
Fri Aug 10 20:24:54 UTC 2012
On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote:
> Package: openssl
> Version: 0.9.8o-4squeeze13
> Severity: grave
> Tags: security
> Justification: user security hole
>
> openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
> CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
> seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
> crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
This doesn't make any sense at all. This is a bug fixed in 0.9.8a
in 2005.
It only seem to be relavant for the fips version, which we never
had. Unless someone can tell me why you think this affects
anything in Debian, I'm just going to close it.
Kurt
> As far as I can see the problem is gone in 1.0.1c - but I leave this bug
> open for unstable/testing so that it can be doublechecked by someone more
> versed in openssl.
This doesn't make sense at all. You file it against the version
in stable, but the version tracking will say this only affects
stable because the version in testing/unstable is not based on
the version in stable, they split at 0.9.8o-4. If you want to
have this bug affect all versions you should have filed this
against the 0.9.8o-4 version.
Also, everything seems to indicate that 1.0 isn't affected at all.
Kurt
More information about the Pkg-openssl-devel
mailing list