Please merge Openssl 0.9.8k-7 from debian unstable

Bug #493392 reported by Nicolas Valcarcel
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Wishlist
Nicolas Valcarcel

Bug Description

Binary package hint: openssl

Please merge Openssl 0.9.8k-7 from debian unstable, since it has shlibs changes that would be beneficial for an LTS release

Related branches

Changed in openssl (Ubuntu):
assignee: nobody → Nicolas Valcárcel (nvalcarcel)
status: New → Confirmed
importance: Undecided → Medium
importance: Medium → Wishlist
status: Confirmed → In Progress
Changed in openssl (Ubuntu):
status: In Progress → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Warning: this is the version that has ssl renegotiation completely disabled as a fix for CVE-2009-3555. This may break applications that we support.

From the openssl changelog:

  *) Disable renegotiation completely - this fixes a severe security
     problem at the cost of breaking all renegotiation. Renegotiation
     can be re-enabled by setting
     OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION at
     compile-time. This is really not recommended.
     [Ben Laurie]

This will probably break anything that uses DTLS, and postgresql.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

openssl advisory:

http://www.openssl.org/news/secadv_20091111.txt

"The workaround in 0.9.8l simply bans all renegotiation. Because of the
nature of the attack, this is only an effective defence when deployed
on servers. Upgraded clients will still be vulnerable.

Servers that need renegotiation to function correctly obviously cannot
deploy this fix without breakage."

summary: - Please merge Openssl 0.9.8k-6 from debian testing
+ Please merge Openssl 0.9.8k-7 from debian testing
description: updated
summary: - Please merge Openssl 0.9.8k-7 from debian testing
+ Please merge Openssl 0.9.8k-7 from debian unstable
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8k-7ubuntu1

---------------
openssl (0.9.8k-7ubuntu1) lucid; urgency=low

  * Merge from debian unstable, remaining changes (LP: #493392):
    - Link using -Bsymbolic-functions
    - Add support for lpia
    - Disable SSLv2 during compile
    - Ship documentation in openssl-doc, suggested by the package.
    - Use a different priority for libssl0.9.8/restart-services
      depending on whether a desktop, or server dist-upgrade is being
      performed.
    - Display a system restart required notification bubble on libssl0.9.8
      upgrade.
    - Replace duplicate files in the doc directory with symlinks.
    - Move runtime libraries to /lib, for the benefit of wpasupplicant
  * Strip the patches out of the source into quilt patches
  * Disable CVE-2009-3555.patch
 -- Nicolas Valcarcel Scerpella (Canonical) <email address hidden> Sun, 06 Dec 2009 20:16:24 -0500

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.