On 10/04/13 18:39, Michael Gilbert wrote: >> Is CVE-2011-1923 related to CVE-2009-3555? >> >> For CVE-2011-1923, they have a patch that applies to Debian's version in >> squeeze (fixed upstream in >squeeze), which I can adapt easily and >> prepare as a security fix. >> >> Nothing found directly for CVE-2009-3555 - will ask upstream. > > They've definitely different issues. CVE-2009-3555 as an ssl protocol > design flaw, so it affected pretty much every ssl implementation. If > you can get a statement from upstream about it, that would be great.
Upstream's statement is that it's fixed (i.e. new protocol implemented) upstream only at 1.2.0. I.e. issue affects current Debian versions in stable, testing and unstable. (Fixed in experimental.) Hope I can get around separating-out and backporting respective changes to squeeze and wheezy. Any help appreciated. Thanks, Roland -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
