[csw-users] Openssl vulnerability CVE-2009-3555

Dagobert Michelsen dam at opencsw.org
Thu Dec 10 07:29:33 CET 2009


Hi Mike,

Am 06.12.2009 um 18:10 schrieb Mike Gerdts:
> On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard <yann at pleiades.fr.eu.org 
> > wrote:
>> A security vulnerability has been recently found in the TLS and SSL
>> protocol part related to the handling of session renegotiation [1].  
>> This
>> vulnerability allows an attacker to inject arbitrary content at the
>> beginning of a TLS/SSL connection within a Man-in-the-middle attack.
>>
>> This problem is caused by a design flaw in the TLS/SSL protocol and  
>> is
>> difficult to fix in a clean and backward compatible way. As a  
>> result the
>> new openssl release (0.9.8l) which fixes this bug simply completely
>> disables renegotiation.
>>
>> This new package will hit csw unstable mirror very soon.
>
> What is the plan for updating stable?  If there are no plans to
> maintain stable, is there a documented procedure for me to create a
> custom branch (e.g. mystable) that contains the fixes and updates that
> I care about?  The current stable seems to be a bit stale.

Please excuse my late answer as I wanted to first check the overall
state for a new stable. There is a new stable planned, but as we
updated roughly 700 from the distributed 2200 packages since the
last stable testing all this is not a small task. Unfortunately
I can not give you a date when the next stable will be available.

In the meantime you can either make your own repository with updates
you consider important and use it as overlay catalog for pkgutil
   <http://pkgutil.wikidot.com/bldcat>

Alternatively you can do a single package update with pkg-get like
   pkg-get -s  http://<current-url> -U -u openssl
that will just as easily get the later openssl. As it doesn't have
non-openssl-dependencies it will accomplish the same thing. Then you
can go back to using the regular "stable" archives, since pkg-get will
not update over a "newer" installed version of openssl.


Best regards

   -- Dago




More information about the users mailing list