On Wed, Feb 06, 2013 at 11:59:18AM +0100, Thijs Kinkhorst wrote: > Package: openssl > Severity: serious > Tags: security > > Hi, > > Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 > (http://www.openssl.org/news/secadv_20130205.txt): > > SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) > TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)
It seems people are having issues with this patch. commit 125093b59f3c2a2d33785b5563d929d0472f1721 is the problematic commit, but is also the one that fixes both CVEs as far as I can tell. I understand that 1.0 isn't affected, so 0.9.8 probably also isn't. I might be able to fix the 2nd one by disabling the AES-NI part. > OCSP invalid key DoS issue (CVE-2013-0166) I don't see this as being urgent. So I'm waiting upstream to fix the 1.0.1d version before uploading to unstable. I think I'll also wait to see if this applies to other versions or not. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
