[Pkg-openssl-devel] Bug#483379: Bug#483379: openssl: CVE-2008-1672, CVE-2008-0891 multiple security issues
Nico Golde
nion at debian.org
Wed May 28 15:20:51 UTC 2008
Hi Christoph,
* Christoph Martin <martin at uni-mainz.de> [2008-05-28 17:13]:
> Nico Golde schrieb:
> > Package: openssl
> > Version: 0.9.8f-1
> > Severity: grave
> > Tags: security
[...]
> > | Testing using the Codenomicon TLS test suite discovered a flaw in the
> > | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
> > | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
> > | name extensions, a remote attacker could send a carefully crafted
> > | packet to a server application using OpenSSL and cause a crash.
>
> This one does not affect the current Debian version, since it is not
> compiled with the tlsext option.
Did you miss:
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext
^^^^^^^^^^^^
?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080528/bdaca9fa/attachment-0003.pgp
More information about the Pkg-openssl-devel
mailing list