Re: [SECURITY] [DSA 3053-1] openssl security update
On Sat, 2014-10-18 at 23:59 +0100, Jonathan Wiltshire wrote: On 2014-10-18 22:08, Julian Gilbey wrote: On Thu, Oct 16, 2014 at 05:48:24PM +0200, Thijs Kinkhorst wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3053-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 16, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 [...] Now that the jessie release is well underway, is it possible either to request unblocks for security uploads or to begin to support a jessie/testing suite in security.debian.org? Technically nothing is blocked yet (except udebs), but yes of course security fixes are a reasonable justification for an unblock request, when that time does come. A Jessie security archive is up to the security team and FTP masters. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits I always thought that both Stable and Testing were supported by the security team. deb http://security.debian.org/ jessie/updates main contrib non-free deb-src http://security.debian.org/ jessie/updates main contrib non-free Not sure what is in there, but they are active. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1413991021.3899.1.ca...@thefnords.org
Re: [SECURITY] [DSA 3053-1] openssl security update
On Wed, October 22, 2014 17:17, Jason Fergus wrote: Now that the jessie release is well underway, is it possible either to request unblocks for security uploads or to begin to support a jessie/testing suite in security.debian.org? Technically nothing is blocked yet (except udebs), but yes of course security fixes are a reasonable justification for an unblock request, when that time does come. A Jessie security archive is up to the security team and FTP masters. I always thought that both Stable and Testing were supported by the security team. deb http://security.debian.org/ jessie/updates main contrib non-free deb-src http://security.debian.org/ jessie/updates main contrib non-free Not sure what is in there, but they are active. What distributions are supported is answered in the Security team FAQ, but in short, testing is cared for but the separate security archive is not currently in active use. It has quite some overhead while it turns out it's usually perfectly acceptable or even better to let fixes migrate from unstable quickly instead of preparing uploads separately. As was the case with openssl, whose transition into jessie has been expedited because of the security fixes. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/eddc0467f77ef5be4debd62d2e9769ef.squir...@aphrodite.kinkhorst.nl
Re: [SECURITY] [DSA 3053-1] openssl security update
On Thu, Oct 16, 2014 at 05:48:24PM +0200, Thijs Kinkhorst wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3053-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 16, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 [...] Now that the jessie release is well underway, is it possible either to request unblocks for security uploads or to begin to support a jessie/testing suite in security.debian.org? Thanks, Julian -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141018210811.ga8...@d-and-j.net
Re: [SECURITY] [DSA 3053-1] openssl security update
On 2014-10-18 22:08, Julian Gilbey wrote: On Thu, Oct 16, 2014 at 05:48:24PM +0200, Thijs Kinkhorst wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3053-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 16, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 [...] Now that the jessie release is well underway, is it possible either to request unblocks for security uploads or to begin to support a jessie/testing suite in security.debian.org? Technically nothing is blocked yet (except udebs), but yes of course security fixes are a reasonable justification for an unblock request, when that time does come. A Jessie security archive is up to the security team and FTP masters. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8f7e4aee43af0a80f43cf1340878f...@hogwarts.powdarrmonkey.net
Re: [SECURITY] [DSA 3053-1] openssl security update
Jonathan Wiltshire j...@debian.org (2014-10-18): Technically nothing is blocked yet (except udebs) They were only blocked for a tiny number of days. Mraw, KiBi. signature.asc Description: Digital signature
Re: [SECURITY] [DSA 3053-1] openssl security update
unsubscribe 2014-10-16 17:48 GMT+02:00 Thijs Kinkhorst th...@debian.org: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3053-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 16, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Several vulnerabilities have been found in OpenSSL, the Secure Sockets Layer library and toolkit. CVE-2014-3513 A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. CVE-2014-3566 (POODLE) A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This update adds support for Fallback SCSV to mitigate this issue. CVE-2014-3567 A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server. CVE-2014-3568 When OpenSSL is configured with no-ssl3 as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u13. For the unstable distribution (sid), these problems have been fixed in version 1.0.1j-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUP+iVAAoJEFb2GnlAHawE2z0H/3QUAuRqp7+czEaG0m+xZ/At 6y+seY2m6l7E1IBD3OFfDAycjLp4Lo5rrZx/nhpTQwEuttwgtEhVccoCOvrXidt8 JCEJcPipfZv6gdLY0XJMh564h4CB/ETenPjbb90B0k3l5YYg7l45gLupbCXMpUGl XQp2sVsA9qnL4yUaQGO8Sj79sq1MzSSzCl2OyWnjFQSfece9j4yIj2vvNgAMYpC2 V5zl4b73Gy5T/tfPmlu8YKlSTjX7HNRHnx3MvkEc1MwpY73x9HgR+DQ1YRHbbZKn /YqvWSRL7sCXmPwaa6Ne3sIpC356MTWovKQtPAYZVpILuURUx9JJ3usMbTWLPBM= =xVTv -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141016154824.c84f259...@kinkhorst.com