On Wed, Jan 20, 2010 at 03:37:01PM +0100, Andreas Schulze wrote: > Hello, > > the Debian Bug Report #529221 seemes unchanged since 200905. > Could anybody post a status update? > > I could recompile some applications patched with something like > > bits &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; > SSL_CTX_set_options(server_ctx, bits); > > But this is not a real solution! > A Change should be made in the ssl library.
I do not believe this is a security bug, since it requires a "malicious legitimate client". There is nothing preventing the client from publishing the content that went over the connection. However, I do think it is a bug. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
