[Pkg-openssl-devel] Bug#747453: Arbitrary key size limitations causing hard-to-diagnose problems when establishing a connection
Kurt Roeckx
kurt at roeckx.be
Fri May 9 06:42:23 UTC 2014
On Fri, May 09, 2014 at 03:32:25AM +0200, Wilfried Klaebe wrote:
> Kurt Roeckx wrote:
> > I don't see how the severity of this is critical.
>
> The severity level "critical" is defined as: "makes unrelated software
> on the system (or the whole system) break, or causes serious data loss,
> or introduces a security hole on systems where you install the package."
> <https://www.debian.org/Bugs/Developer>
Exactly.
> This bug makes unrelated software on the system break (e.g. ejabberd, no
> communication was possible until _both_ sides had the supplied patch
> applied),
ejabberd is not unrelated since it makes use of openssl. It's also
not totally broken that it can't be used, communication can be done
under normal conditions.
> and also could introduce security holes, as clients might fall
> back to unencrypted communication.
You can argue that this is a security hole or not. I see no
reason to use such large keys in the first place.
Kurt
More information about the Pkg-openssl-devel
mailing list