[Pkg-openssl-devel] Bug#529221: Bug#529221: Netscape/OpenSSL Cipher Forcing Bug
Kurt Roeckx
kurt at roeckx.be
Wed Jan 20 17:39:42 UTC 2010
On Wed, Jan 20, 2010 at 03:37:01PM +0100, Andreas Schulze wrote:
> Hello,
>
> the Debian Bug Report #529221 seemes unchanged since 200905.
> Could anybody post a status update?
>
> I could recompile some applications patched with something like
>
> bits &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
> SSL_CTX_set_options(server_ctx, bits);
>
> But this is not a real solution!
> A Change should be made in the ssl library.
I do not believe this is a security bug, since it requires
a "malicious legitimate client". There is nothing preventing
the client from publishing the content that went over
the connection.
However, I do think it is a bug.
Kurt
More information about the Pkg-openssl-devel
mailing list