On Mon, Jan 06, 2014 at 07:20:25PM +0100, Kurt Roeckx wrote:
> On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> > On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > > >
> > > > > For security I would like to have the following:
> > > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > > >
> > > > So I've put that at:
> > > > http://people.debian.org/~kroeckx/openssl/
> > >
> > > So the patch for CVE-2013-6450 was missing a commit. See:
> > > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> > >
> > > I'll upload a 1.0.1e-2+deb7u2 soon.
> >
> > I've uploaded it. The changelog for it:
> > * The patch we applied for CVE-2013-6450 was causing segfaults,
> > also apply the previous commit checking for NULL in
> > EVP_MD_CTX_destroy()
> > * Fix for TLS record tampering bug CVE-2013-4353
>
> So after uploading this, I got this as reply:
> > Although there is no CVE connected to it it is also advisable to
> > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
>
> Should I make an other upload (with different version) for that?
Yes, please include it.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
