[Pkg-openssl-devel] openssl wheezy update

Emilio Pozuelo Monfort pochu at debian.org
Wed Feb 1 23:21:13 UTC 2017


On 01/02/17 00:29, Kurt Roeckx wrote:
> On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote:
>> Hi Kurt,
>>
>> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I have
>> done some smoke testing on it and it seems fine, but I haven't been able to
>> verify the three fixes as I can't find exploits for them (there is mention of
>> one for CVE-2016-8610 in [1] but I can't find the actual file).
>>
>> Do you have any suggestion for how to verify / test the update?
>>
>> Do you want to upload this or should I take care of it?
> 
> Feel free to upload this.
> 
> The usptream version in jessie and wheezy, so the patches should
> just apply.
> 
> I only have a test for the 32 bit crashes. It would require to get
> the fuzzers working in the 1.0.1 version, which should be that
> hard.
> 
> The other would be a cache timing attack, and I really have no
> good way to test that.
> 
> I suggest you just upload it.

Thanks, I have uploaded it.

Cheers,
Emilio



More information about the Pkg-openssl-devel mailing list