Jeroen van Wolffelaar schrieb: > On Thu, Oct 06, 2005 at 10:20:12PM +0200, Christoph Martin wrote: > >>a lot of people bugged me about the new version and upstream only recommends >>this version. It also closes a grave security bug. > > Hm, that wasn't listed in the changelog. Anyway, there hasn't been a security > advisory about openssl recently, did you backport a patch to the sarge version > (and prefereably also, to the woody version) and informed the security team? I > noticed you just requested help for maintaining openssl, so I can imagine that > it's been hard to find to come up with a patch, but it would at least be > beneficial to at least document such security issues, by informing security > team, filing an RC bug on your own package, and mentioning the CVE ID (or at > the very least, a short description of the bug fixed) in your changelog entry.
It is documented in bug #314465. But it is not really a bug which you
can fix by backporting. It's about MD5 hashes being insecure. I talked
with upstream about the issue and follow their arguments:
>The default digest in 0.9.8 and the cvs head is SHA-1
>(we didn't change 0.9.7 as we didn't want to break existing
>implementations depending on the default digest being MD5).
>About SHA-256 etc. : they are included in the soon to
>appear 0.9.8.
The bug had been release critical and has the security tag. I downgraded
it to get the last 0.9.7 version into testing before uploading 0.9.8.
Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: [EMAIL PROTECTED]
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
signature.asc
Description: OpenPGP digital signature
