Your message dated Thu, 03 Nov 2005 09:35:59 +0100
with message-id <[EMAIL PROTECTED]>
and subject line [Fwd: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and
openssl.cnf default to insecure MD5 digest]
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Jun 2005 13:05:37 +0000
>From [EMAIL PROTECTED] Thu Jun 16 06:05:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from (homer.berlin.jpk.com) [212.222.128.18]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Diu3t-0003Fv-00; Thu, 16 Jun 2005 06:05:37 -0700
Received: from root by homer.berlin.jpk.com with local (Exim 4.50)
id 1Diu2n-0007e3-Rn
for [EMAIL PROTECTED]; Thu, 16 Jun 2005 15:04:29 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andreas Bogk <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CA.pl and openssl.cnf default to insecure MD5 digest
X-Mailer: reportbug 3.8
Date: Thu, 16 Jun 2005 15:04:29 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: openssl
Version: 0.9.7e-3
Severity: grave
Tags: security
Justification: user security hole
openssl.cnf defaults to usage of MD5 as digest algorithm for generation
of certificates and CAs. MD5 must be considered broken beyond hope,
we're not just talking about theoretical attacks, but attacks feasible
for everybody. X.509 keys with colliding checksums (and thus false
certificates) have been shown. See:
http://www.cits.rub.de/MD5Collisions/
for another example.
Unfortunately, there seem to be problems with RIPEMD160 in practice
(e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
the only reasonable choice at the moment is SHA-1, even though SHA-1 has
been theoretically weakend already, and RIPEMD160 would be preferable.
I suggest adding
default_md: sha-1
in the req and ca sections of openssl.cnf, and talking the upstream
maintainers into supporting SHA-384 or SHA-512.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages openssl depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
-- no debconf information
---------------------------------------
Received: (at 314465-done) by bugs.debian.org; 3 Nov 2005 08:36:42 +0000
>From [EMAIL PROTECTED] Thu Nov 03 00:36:42 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mailgate1.verwaltung.uni-mainz.de
(patty.verwaltung.uni-mainz.de) [134.93.144.165]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EXaaP-0004tN-00; Thu, 03 Nov 2005 00:36:41 -0800
Received: from charlie.verwaltung.uni-mainz.de ([EMAIL PROTECTED]
[134.93.226.11])
by patty.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP id
jA38a44q024825
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <[EMAIL PROTECTED]>; Thu, 3 Nov 2005 09:36:04 +0100
Received: from [134.93.226.8] (woodstock.verwaltung.uni-mainz.de [134.93.226.8])
(authenticated bits=0)
by charlie.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP
id jA38a3QJ020375
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <[EMAIL PROTECTED]>; Thu, 3 Nov 2005 09:36:03 +0100
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 03 Nov 2005 09:35:59 +0100
From: Christoph Martin <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050817
Thunderbird/1.0.2 Mnenhy/0.7.2.0
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: [Fwd: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf
default to insecure MD5 digest]
X-Enigmail-Version: 0.91.0.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig75D9DBF46314362351D48085"
X-Virus-Scanned-From: mailgate1.verwaltung.uni-mainz.de
X-Spam-Scanned-From: mailgate1.verwaltung.uni-mainz.de
X-Scanned-By: MIMEDefang 2.51 on 134.93.226.4
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig75D9DBF46314362351D48085
Content-Type: multipart/mixed;
boundary="------------040409040308090800070506"
This is a multi-part message in MIME format.
--------------040409040308090800070506
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
version 0.9.8-1
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: [EMAIL PROTECTED]
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
--------------040409040308090800070506
Content-Type: message/rfc822;
name="Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf
defaultto insecure MD5 digest"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf
defaultto insecure MD5 digest"
Return-Path: <[EMAIL PROTECTED]>
Received: from mailgate1.zdv.Uni-Mainz.DE (mailgate1.zdv.Uni-Mainz.DE
[134.93.178.129])
by wintermute.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with
ESMTP id jA2KSNh0028153
for <[EMAIL PROTECTED]>; Wed, 2 Nov 2005 21:28:23 +0100
Received: from exfront01.zdv.Uni-Mainz.DE (exfront01.zdv.Uni-Mainz.DE
[134.93.176.49])
by mailgate1.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 05D333000588
for <[EMAIL PROTECTED]>; Wed, 2 Nov 2005 21:28:22 +0100 (CET)
Received: from spamgate01.zdv.uni-mainz.de ([134.93.177.67]) by
exfront01.zdv.Uni-Mainz.DE with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 2 Nov 2005 21:16:05 +0100
Received: from haydn.debian.org ([192.25.206.28])
by spamgate01.zdv.uni-mainz.de with ESMTP; 02 Nov 2005 21:16:05 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AAAAAL+saEOCKYNkAQEBAQEGBAYHAxtD
X-IronPort-AV: i="3.97,283,1125871200";
d="scan'208"; a="2608164:sNHT20050975"
Received: from localhost ([127.0.0.1]:56558 helo=haydn.debian.org)
by haydn.debian.org with esmtp (Exim 4.50)
id 1EXP1Z-0000pZ-7h; Wed, 02 Nov 2005 20:16:01 +0000
Received: from spohr.debian.org ([140.211.166.43]:40311 ident=mail)
by haydn.debian.org with esmtp (Exim 4.50) id 1EXP1T-0000p6-MG
for [EMAIL PROTECTED];
Wed, 02 Nov 2005 20:15:53 +0000
Received: from debbugs by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EXP1S-0006wT-00; Wed, 02 Nov 2005 12:15:50 -0800
X-Loop: [EMAIL PROTECTED]
Resent-From: Kurt Roeckx <[EMAIL PROTECTED]>
Resent-To: [email protected]
Resent-CC: Debian OpenSSL Team <[EMAIL PROTECTED]>
Resent-Date: Wed, 02 Nov 2005 20:15:49 UTC
Resent-Message-ID: <[EMAIL PROTECTED]>
X-Debian-PR-Message: report 314465
X-Debian-PR-Package: openssl
X-Debian-PR-Keywords: security
Received: via spool by [EMAIL PROTECTED] id=B314465.11309502539421
(code B ref 314465); Wed, 02 Nov 2005 20:15:49 UTC
Received: (at 314465) by bugs.debian.org; 2 Nov 2005 16:50:53 +0000
Received: from hoboe2bl1.telenet-ops.be [195.130.137.73]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EXLp7-0002Rb-00; Wed, 02 Nov 2005 08:50:53 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
by hoboe2bl1.telenet-ops.be (Postfix) with SMTP
id 810283816E; Wed, 2 Nov 2005 17:50:51 +0100 (CET)
Received: from Q.roeckx.be (dD5775F4A.access.telenet.be [213.119.95.74])
by hoboe2bl1.telenet-ops.be (Postfix) with ESMTP
id 6501F38147; Wed, 2 Nov 2005 17:50:51 +0100 (CET)
Received: by Q.roeckx.be (Postfix, from userid 501)
id AEBA726136; Wed, 02 Nov 2005 17:50:50 +0100 (CET)
Date: Wed, 2 Nov 2005 17:50:50 +0100
From: Kurt Roeckx <[EMAIL PROTECTED]>
To: Christoph Martin <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
"Package Development List for OpenSSL packages."
<[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.4.2.1i
Delivered-To: [EMAIL PROTECTED]
Resent-Sender: Debian BTS <[EMAIL PROTECTED]>
Subject: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf
default to insecure MD5 digest
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on haydn.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-2.353 required=5 tests=AWL,BAYES_00,RCVD_IN_SORBS_MISC
version=3.0.3
X-Spam-Status: No, score=0.1 required=5.0 tests=FORGED_RCVD_HELO
autolearn=unavailable version=3.0.4
X-BeenThere: [EMAIL PROTECTED]
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Kurt Roeckx <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
"Package Development List for OpenSSL packages."
<[EMAIL PROTECTED]>
List-Id: "Package Development List for OpenSSL packages."
<pkg-openssl-devel.lists.alioth.debian.org>
List-Unsubscribe:
<http://lists.alioth.debian.org/mailman/listinfo/pkg-openssl-devel>,
<mailto:[EMAIL PROTECTED]>
List-Archive: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<http://lists.alioth.debian.org/mailman/listinfo/pkg-openssl-devel>,
<mailto:[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-SA-Exim-Connect-IP: 127.0.0.1
X-OriginalArrivalTime: 02 Nov 2005 20:16:05.0528 (UTC)
FILETIME=[40F84180:01C5DFEA]
X-Virus-Scanned: by amavisd-new at uni-mainz.de
X-Scanned-By: MIMEDefang 2.51 on 134.93.225.251
X-UID: 10851
X-Keywords:
On Wed, Nov 02, 2005 at 09:38:59AM +0100, Christoph Martin wrote:
> Hi Kurt,
>
> Kurt Roeckx schrieb:
> > Can this be closed now that 0.9.8 has made it to the archive?
>
> I don't think so. The bug is still present in sarge and will not be
> fixed. It should stay open until sarge is obsolete and should have a tag
> sarge and wontfix.
The proper way to do this would be to close it with the proper
version. It will still be marked as existing in sarge.
Kurt
_______________________________________________
Pkg-openssl-devel mailing list
[EMAIL PROTECTED]
http://lists.alioth.debian.org/mailman/listinfo/pkg-openssl-devel
--------------040409040308090800070506--
--------------enig75D9DBF46314362351D48085
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDacvzgeVih7XOVJcRAsnmAJ9tdaRZ1LKH+SIbhl5XPVn63HB0wgCgkyKE
lLFF+upgeBvJHWYGuWWI3uE=
=5BTQ
-----END PGP SIGNATURE-----
--------------enig75D9DBF46314362351D48085--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
