On Thu, 12 Nov 2009, Kurt Roeckx wrote:
The changes says: *) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing.So this would mean that it will break some setups.
You're right, but the solution could be ask the user, during postinstall package configuration, to set SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION (and set it by default) explaining briefly the vulnerability. This wouldn't break anything existing but give the posibility to protect against vulnerability.
P.D.: the changelog link of openssl (http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_0.9.8g-15+lenny5/changelog) is not working at the moment.
Regards Enrique -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
