On Fri, May 09, 2014 at 03:32:25AM +0200, Wilfried Klaebe wrote: > Kurt Roeckx wrote: > > I don't see how the severity of this is critical. > > The severity level "critical" is defined as: "makes unrelated software > on the system (or the whole system) break, or causes serious data loss, > or introduces a security hole on systems where you install the package." > <https://www.debian.org/Bugs/Developer>
Exactly. > This bug makes unrelated software on the system break (e.g. ejabberd, no > communication was possible until _both_ sides had the supplied patch > applied), ejabberd is not unrelated since it makes use of openssl. It's also not totally broken that it can't be used, communication can be done under normal conditions. > and also could introduce security holes, as clients might fall > back to unencrypted communication. You can argue that this is a security hole or not. I see no reason to use such large keys in the first place. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
