* Sven Hartge: > Florian Weimer wrote: >> * Florian Weimer: > >>> It's the generation of the special server-side key used to support >>> "RSA export" clients which use 40-bit symmetric session keys. > >> Turns out the patch was broken. This one should be better. The >> comments above still apply. > > Will this patch be included in the next point release of Sarge
Not sure about that. There are different means to to tackle this problem. We could just remove rm -f /var/spool/exim4/gnutls-params from the daily cron job. Or we add proper locking so that only one Exim process actually recomputes the params file when it is missing, significantly reducing the impact of this problem. Or the preferred option: do not remove that file, but regenerate it and replace it with the new version, so that Exim never has to regenerate it. In any case, we need people whose Exim installations suffer from this problem to test a patch before we roll it out. > or better yet released via a security update, since it is trivial to > DoS Exim4 from Sarge with some single SSL/TLS connections? AFAICS, it is not possible to trigger this bug reliably (I had to delete the params file manually to prove it). It certainly results in a loss of service, but it's a security vulnerability, and therefore does not qualify as a security bug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
