Bug#529221: [Pkg-openssl-devel] Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

On Wed, Jan 20, 2010 at 09:37:01PM +0100, Florian Weimer wrote: > * Andreas Schulze: > > > the Debian Bug Report #529221 seemes unchanged since 200905. > > Could anybody post a status update? > > Is this, perchance, a PCI DSS compliance issue? > > I'm still not convinced that this is a security

Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

* Andreas Schulze: > the Debian Bug Report #529221 seemes unchanged since 200905. > Could anybody post a status update? Is this, perchance, a PCI DSS compliance issue? I'm still not convinced that this is a security bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org w

Bug#529221: [Pkg-openssl-devel] Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

On Wed, Jan 20, 2010 at 03:37:01PM +0100, Andreas Schulze wrote: > Hello, > > the Debian Bug Report #529221 seemes unchanged since 200905. > Could anybody post a status update? > > I could recompile some applications patched with something like > > bits &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_

Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

Hello, the Debian Bug Report #529221 seemes unchanged since 200905. Could anybody post a status update? I could recompile some applications patched with something like bits &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; SSL_CTX_set_options(server_ctx, bits); But this is not a real solution! A

Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

Hi all, Is the status of this problem that it won't be fixed unless a CVE number is assigned? Is anyone working on that? We're getting the same report from Qualys. -- Kind regards, Met vriendelijke groet, Tim Stoop Kumina bv www.kumina.nl kvk nr 14095795 -- To UNSUBSCRIBE, email to debia

Bug#529221: [Pkg-openssl-devel] Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

>> # Consequence >> A malicious legitimate client can enforce a ciphersuite not supported by the >> server to be used for a session between the client and the server. This can >> result in disclosure of sensitive information. A malicious legitimate client can also publish the data outright. So I

Bug#529221: [Pkg-openssl-devel] Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

Hi, It seems that some other vendors like redhat have already addressed this years ago, but there doesn't seem to be a CVE for it. Could someone get a CVE assigned to this? I don't plan to make the same change to the header, since we would need to rebuild everything to get that option turned off

Bug#529221: Netscape/OpenSSL Cipher Forcing Bug

Package: libssl0.9.8 Version: 0.9.8c-4etch5 Severity: normal -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-486 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-