[arch-dev-public] [signoff] openssl 0.9.8l-1
Moin, you might have heard from the possible MTM attack against TLS. Openssl has released a new version which disabled the affected renegotiation feature. We should move this to core soon. For more information see http://extendedsubset.com/?p=8 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555 Please note that this is more or less a protocol design flaw which means that every SSL implementation should be affected, not only openssl (e.g. Firefox uses nss and there is also gnutls). So we should have a look at those packages, too. Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre
On Fri, Nov 6, 2009 at 2:29 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Moin,
you might have heard from the possible MTM attack against TLS. Openssl has released a new version which disabled the affected renegotiation feature. We should move this to core soon.
For more information see http://extendedsubset.com/?p=8 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555
Please note that this is more or less a protocol design flaw which means that every SSL implementation should be affected, not only openssl (e.g. Firefox uses nss and there is also gnutls). So we should have a look at those packages, too.
Pierre
-- Pierre Schmitz, https://users.archlinux.de/~pierre
signoff both arches
On 11/06/2009 09:29 AM, Pierre Schmitz wrote:
Moin,
you might have heard from the possible MTM attack against TLS. Openssl has released a new version which disabled the affected renegotiation feature. We should move this to core soon.
For more information see http://extendedsubset.com/?p=8 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555
Please note that this is more or less a protocol design flaw which means that every SSL implementation should be affected, not only openssl (e.g. Firefox uses nss and there is also gnutls). So we should have a look at those packages, too.
Pierre
signoff x86_64 -- Ionut
On Sun, Nov 8, 2009 at 5:13 AM, Ionut Biru <biru.ionut@gmail.com> wrote:
On 11/06/2009 09:29 AM, Pierre Schmitz wrote:
Moin,
you might have heard from the possible MTM attack against TLS. Openssl has released a new version which disabled the affected renegotiation feature. We should move this to core soon.
For more information see http://extendedsubset.com/?p=8 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555
Please note that this is more or less a protocol design flaw which means that every SSL implementation should be affected, not only openssl (e.g. Firefox uses nss and there is also gnutls). So we should have a look at those packages, too.
Pierre
signoff x86_64
Are you going to move this sometime soon, Pierre? -Dan
Am Sonntag 08 November 2009 18:30:26 schrieb Dan McGee:
Are you going to move this sometime soon, Pierre?
Yes, I think I wont wait for more sign-offs. Any problems with that package ? -- Pierre Schmitz, https://users.archlinux.de/~pierre
participants (6)
-
Allan McRae
-
Daenyth Blank
-
Dan McGee
-
Eric Bélanger
-
Ionut Biru
-
Pierre Schmitz