Your message dated Tue, 06 Sep 2005 18:29:13 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug only present in woody
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Oct 2003 13:28:36 +0000
>From [EMAIL PROTECTED] Thu Oct 02 08:28:35 2003
Return-path: <[EMAIL PROTECTED]>
Received: from (crown.reflexsecurity.com) [69.15.40.52]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1A53VT-000776-00; Thu, 02 Oct 2003 08:28:35 -0500
Received: from stoli.localnet ([192.168.0.106])
by crown.reflexsecurity.com with smtp (Exim 3.35 #1 (Debian))
id 1A53WP-00050f-00; Thu, 02 Oct 2003 09:29:33 -0400
Received: by stoli.localnet (sSMTP sendmail emulation); Thu, 2 Oct 2003
09:28:34 -0400
From: Jason Lunz <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: openssl: package revision prevents automatic security upgrade
X-Mailer: reportbug 1.50
Date: Thu, 02 Oct 2003 09:28:34 -0400
Bcc: Jason Lunz <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-9.2 required=4.0
tests=BAYES_30,HAS_PACKAGE,QUOTED_EMAIL_TEXT
version=2.53-bugs.debian.org_2003_10_1
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_1
(1.174.2.15-2003-03-30-exp)
Package: openssl
Version: 0.9.6c-2.woody.4
Severity: critical
Tags: security woody
Justification: root security hole
When the last round of openssl security fixes came out, there were
actually two sets of patches made. DSA-288 had this to say about it:
> Unfortunately, RSA blinding is not thread-safe and will cause failures
> for programs that use threads and OpenSSL such as stunnel. However,
> since the proposed fix would change the binary interface (ABI),
> programs that are dynamically linked against OpenSSL won't run
> anymore. This is a dilemma we can't solve.
>
> You will have to decide whether you want the security update which is
> not thread-safe and recompile all applications that apparently fail
> after the upgrade, or fetch the additional source packages at the end
> of this advisory, recompile it and use a thread-safe OpenSSL library
> again, but also recompile all applications that make use of it (such
> as apache-ssl, mod_ssl, ssh etc.).
The "additional source packages" referenced at the end of the DSA were
at http://master.debian.org/~joey/NMU/, but this directory no longer
exists. Regardless, thread-safe packages made from these sources had
the debian revision -2.woody.4. This version was re-used with
yesterday's openssl security patch release.
Because our site uses threaded ssl programs, we were using the old
thread-safe woody.4 ssl libraries. As a result, yesterday's fixed
packages failed to install automatically.
Finally, clarification is still needed on issue of the thread-safety of
RSA blinding. I assume that because yesterday's packages remain
compatible with woody, they're not thread-safe. So what does a site like
mine need to do to have secure woody ssl libraries that can be used in
threaded programs?
Jason
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux stoli 2.4.22 #1 Mon Aug 25 12:26:00 EDT 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages openssl depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libssl0.9.6 0.9.6c-2.woody.4 SSL shared libraries
ii perl 5.6.1-8.3 Larry Wall's Practical Extraction
---------------------------------------
Received: (at 213742-done) by bugs.debian.org; 6 Sep 2005 16:29:25 +0000
>From [EMAIL PROTECTED] Tue Sep 06 09:29:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mailgate1.verwaltung.uni-mainz.de
(patty.verwaltung.uni-mainz.de) [134.93.144.165]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ECgK5-0000xU-00; Tue, 06 Sep 2005 09:29:25 -0700
Received: from charlie.verwaltung.uni-mainz.de ([EMAIL PROTECTED]
[134.93.226.11])
by patty.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP id
j86GTD7U001976
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <[EMAIL PROTECTED]>; Tue, 6 Sep 2005 18:29:13 +0200
Received: from [134.93.226.8] (woodstock.verwaltung.uni-mainz.de [134.93.226.8])
(authenticated bits=0)
by charlie.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP
id j86GTDdg015149
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <[EMAIL PROTECTED]>; Tue, 6 Sep 2005 18:29:13 +0200
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 06 Sep 2005 18:29:13 +0200
From: Christoph Martin <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050817
Thunderbird/1.0.2 Mnenhy/0.7.2.0
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Bug only present in woody
X-Enigmail-Version: 0.91.0.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig828592DB6F81B314CE686D3B"
X-Virus-Scanned-From: mailgate1.verwaltung.uni-mainz.de
X-Spam-Scanned-From: mailgate1.verwaltung.uni-mainz.de
X-Scanned-By: MIMEDefang 2.51 on 134.93.226.4
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig828592DB6F81B314CE686D3B
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
CLosing since sarge is released.
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: [EMAIL PROTECTED]
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
--------------enig828592DB6F81B314CE686D3B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDHcPZgeVih7XOVJcRAk9UAKCRfMsCk7V4DGQYBwlbBl/U8wL0LACfb6Lv
ulpkY/J2IoKsvQfD+JpXu/o=
=dvhq
-----END PGP SIGNATURE-----
--------------enig828592DB6F81B314CE686D3B--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
