[arch-dev-public] Fw: OpenSSL 0.9.8e has serious bug
Begin forwarded message: Date: Tue, 17 Apr 2007 23:32:26 -0700 From: "Valient Gough" <valient@gmail.com> To: jvinet@zeroflux.org Subject: OpenSSL 0.9.8e has serious bug I've had reports from a couple users of Arch Linux that EncFS is unable to access their existing encrypted filesystems after upgrading Arch packages. The problem is that OpenSSL 0.9.8e has a known problem with Blowfish encryption which makes it incompatible with any other versions of OpenSSL. EncFS users will not be able to read filesystem which use Blowfish with key length > 128 bits, and if they create a new filesystem when using OpenSSL 0.9.8e, then they will not be able to access their filesystem when using the next release of OpenSSL with that bug fixed. See: http://cvs.openssl.org/chngview?cn=15978 regards, Valient
On Thu, Apr 19, 2007 at 10:54:42AM -0700, Judd Vinet wrote:
Begin forwarded message:
Date: Tue, 17 Apr 2007 23:32:26 -0700 From: "Valient Gough" <valient@gmail.com> To: jvinet@zeroflux.org Subject: OpenSSL 0.9.8e has serious bug
I've had reports from a couple users of Arch Linux that EncFS is unable to access their existing encrypted filesystems after upgrading Arch packages.
The problem is that OpenSSL 0.9.8e has a known problem with Blowfish encryption which makes it incompatible with any other versions of OpenSSL.
EncFS users will not be able to read filesystem which use Blowfish with key length > 128 bits, and if they create a new filesystem when using OpenSSL 0.9.8e, then they will not be able to access their filesystem when using the next release of OpenSSL with that bug fixed.
See: http://cvs.openssl.org/chngview?cn=15978
regards, Valient
Is there anything we, as developers, should be doing about this? Jason
Is there anything we, as developers, should be doing about this?
Someone should rebuild openssl with the patch from CVS, I'd suppose. As well as a frontpage/ML/BBS post. Dale
Dale Blount wrote:
Is there anything we, as developers, should be doing about this?
Someone should rebuild openssl with the patch from CVS, I'd suppose. As well as a frontpage/ML/BBS post.
Dale
I've built a patched version here, but I don't use EncFS myself. Does anyone else? If not, I'll read up on it myself, or I could put it on testing and ask for testers in the community. T.
Tom K wrote:
Dale Blount wrote:
See: http://cvs.openssl.org/chngview?cn=15978 Is there anything we, as developers, should be doing about this? Someone should rebuild openssl with the patch from CVS, I'd suppose. As well as a frontpage/ML/BBS post.
Dale
I've built a patched version here, but I don't use EncFS myself. Does anyone else?
If not, I'll read up on it myself, or I could put it on testing and ask for testers in the community.
T.
openssl 0.9.8e-3 is now in testing, and related messages are in News, ML, and forum. T.
participants (4)
-
Dale Blount
-
Jason Chu
-
Judd Vinet
-
Tom K