[arch-dev-public] Fw: OpenSSL 0.9.8e has serious bug

Tom K tom at archlinux.org
Sat Apr 21 04:37:28 EDT 2007


David Rosenstrauch wrote:
> Tom K wrote:
>> David Rosenstrauch wrote:
>>> Tom,
>>>
>>> I use EncFS pretty extensively, so I can assist you with testing if 
>>> you need.
>>>
>>> DR
>>>
>>
>> Thanks David.
>>
>> Get it here for now:
>> http://www.archlinux.org/~tom/packages/openssl-0.9.8e-3.pkg.tar.gz
>> PKGBUILD and patch here:
>> http://www.archlinux.org/~tom/packages/openssl/
>>
>> I've asked the original reporter for details on the known 
>> OpenSSL/Blowfish problem, for inclusion in Arch News etc.
>>
>> T.
> 
> Hi Tom.  I just upgraded and tested.
> 
> It's basically like Valient's mail said - the encrypted directory that I 
> made with the broken version of openssl-0.9.8e was now unreadable with 
> the new fixed version:
> 
> [darose at davidrlin pr]$ encfssh .d2 d2
> EncFS Password:
> Error decoding volume key, password incorrect
> encfs failed
> 
> But, like I did when we upgraded to the broken version in the first 
> place (http://archlinux.org/pipermail/arch/2007-March/013925.html) I 
> just deleted the bad encrypted directory and then recreated it.  (I keep 
> the contents in a RCS, so it's easy for me to just pull them from there 
> again.)  In retrospect, hat wasn't necessarily the correct thing for me 
> to do.  Other people commented that they just remained downgraded on 
> openssl-0.9.8d.  That avoided the bug, and let them keep using their 
> existing encrypted directories.  But since recreating the directory was 
> no big deal, that worked for me.
> 
> Anyway, after I whacked and recreated the directory, encfs seems to be 
> working fine.  I'm able to unmount the encrypted directory and then 
> mount it again without a problem.
> 
> So I think the fix is fine.  Only caveat is that, like Valient said, 
> anyone who's created any encrypted directories using the broken version 
> will need to whack them and start again.  You might want to reference 
> Valient's email and/or this Arch email thread 
> (http://archlinux.org/pipermail/arch/2007-March/013924.html) in whatever 
> communication you send about the issue.
> 
> Hope this helps.  Any further questions, or need me to do any more 
> testing, please feel free to write back.
> 
> DR
> 
> 

Many thanks for the comprehensive reply, David. I'm still waiting to 
hear from Valient regarding his tests, but I'll put the fixed package 
into testing anyway, with appropriate accompanying messages.

T.




More information about the arch-dev-public mailing list