Source: matrixssl Severity: grave Tags: security Justification: user security hole
Dear Maintainer, the version currently packaged in Debian is 5 years old, while many security issues were fixed in the upstream package meanwhile. I came to know the situation after reading the following research article: https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf They showed that matrixssl is vulnerable to man-in-the-middle attacks with v1 certificates (page 2). Indeed, a new version of matrixssl (3.6.0) was released on april 9 to fix that issue. (the information is thus fully public already) But actually, since the currently packaged version is 1.8, released back in 2009, I'm not completely sure of whether this perticular flaw was already packaged at that time. In my mind, such an ancient "security"-related package is deceiving to our users. I think that this package should either be updated, or simply removed from the archive. But Jessie should not be released with that as is. Bye, Mt. -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- La drogue était un milieu plutôt sain avant que le sport ne s'en mêle.
signature.asc
Description: Digital signature
