Hi, I would like to add rfc5746 support to openssl in stable, so that CVE-2009-3555 can be fixed. But adding that support means that the old renegotiation doesn't work anymore unless you set an option. This has the potentional to break both client and server applications making use of openssl. See the SSL_CTX_set_options manpage for the behaviour and the options you can set.
There are atleast 2 packages that have an issue with this that I'm currently aware of: - apache2: It would need an option an admin can turn on to allow insecure renegotiation. - tor: It should always disable the new renegotiation. Running it as a server doesn't work. Newer versions than in stable, like the version in volatile, do work properly with any version of openssl. The maintainer and upstream favour dropping the version currently in stable. Other packages still need to be checked. I think at this point we're not going to be able to check the various packages that might be affected by this before the next point release. So I wonder when the next point release is going to happen, or that we should try and update this via the security archive. Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101116204806.ga14...@roeckx.be