Perl modules affected by openssl breakage

gregor herrmann gregoa at debian.org
Mon May 19 22:27:09 UTC 2008


On Mon, 19 May 2008 02:52:00 -0300, Martín Ferrari wrote:

> > E.g. any local script or application using libcrypt-openssl-* packages for
> > key creation would need to re-generate keys. Do you have some pointers
> > for documentation that can be provided to users?
> I have checked upstream docs and I don't see anything particularly
> useful. But I think that the keys generated are in the same format as
> the ones produced by the openssl command, so the same
> instructions/caveats should apply.

I took a _short_ look on the libcrypt-openssl-* packages, and it
seems that they are just frontends/wrappers for using openssl (i.e.
they just allow creating keys but don't do anything themselves). [0]

Maybe a hint "Keys generated via libcrypt-openssl-* are affected in
the same way ..." might be appropriate.
 
> > Are their other packages maintained by you, which need pointers/
> > instructions on key rollovers?
> We should check firstly which packages could have generated weak keys.

Yup, checking packages that depend on/use libcrypt-openssl-* would be
worth looking at.

If I got it right the list is rather short:

gregoa at belanna:~$ grep-dctrl -s Package,Depends,Build-Depends,Build-Depends-Indep -F Depends,Build-Depends,Build-Depends-Indep -r libcrypt-openssl-.*-perl /var/lib/apt/lists/ftp.at.debian.org_debian_dists_unstable_*_Sources
Package: libcrypt-openssl-rsa-perl
Depends: 
Build-Depends: debhelper (>= 6), libcrypt-openssl-bignum-perl, libcrypt-openssl-random-perl, libssl-dev, quilt
Build-Depends-Indep: 

Package: libmail-dkim-perl
Depends: 
Build-Depends: debhelper (>= 5)
Build-Depends-Indep: perl (>= 5.6.0-16), liberror-perl, libnet-dns-perl, libmailtools-perl, libdigest-sha1-perl, libdigest-sha-perl, libcrypt-openssl-rsa-perl (>= 0.24)


Cheers,
gregor


[0]
Crypt::OpenSSL::DSA(3)

It is a thin XS wrapper to the DSA functions contained in the
OpenSSL crypto library, located at http://www.openssl.org
       
 
-- 
 .''`.   http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
 : :' :  debian gnu/linux user, admin & developer - http://www.debian.org/
 `. `'   member of https://www.vibe.at/ | how to reply: http://got.to/quote/
   `-    NP: The Who: Magic Bus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20080520/25ee6846/attachment-0001.pgp 


More information about the pkg-perl-maintainers mailing list