On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote: > Package: openssl > Version: 0.9.8o-4squeeze13 > Severity: grave > Tags: security > Justification: user security hole > > openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to > CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem > seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in > crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
This doesn't make any sense at all. This is a bug fixed in 0.9.8a in 2005. It only seem to be relavant for the fips version, which we never had. Unless someone can tell me why you think this affects anything in Debian, I'm just going to close it. Kurt > As far as I can see the problem is gone in 1.0.1c - but I leave this bug > open for unstable/testing so that it can be doublechecked by someone more > versed in openssl. This doesn't make sense at all. You file it against the version in stable, but the version tracking will say this only affects stable because the version in testing/unstable is not based on the version in stable, they split at 0.9.8o-4. If you want to have this bug affect all versions you should have filed this against the 0.9.8o-4 version. Also, everything seems to indicate that 1.0 isn't affected at all. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
