On Wed, Feb 06, 2013 at 11:59:18AM +0100, Thijs Kinkhorst wrote:
> Package: openssl
> Severity: serious
> Tags: security
> 
> Hi,
> 
> Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 
> (http://www.openssl.org/news/secadv_20130205.txt):
> 
>  SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
>  TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)

It seems people are having issues with this patch.  commit
125093b59f3c2a2d33785b5563d929d0472f1721 is the problematic
commit, but is also the one that fixes both CVEs as far
as I can tell.

I understand that 1.0 isn't affected, so 0.9.8 probably also
isn't.

I might be able to fix the 2nd one by disabling the AES-NI
part.

>  OCSP invalid key DoS issue (CVE-2013-0166)

I don't see this as being urgent.

So I'm waiting upstream to fix the 1.0.1d version before
uploading to unstable.  I think I'll also wait to see
if this applies to other versions or not.


Kurt


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to