Hi all! Sorry to be jumping in without preserving the In-Reply-To.
Allard Hoeve wrote: >I'm afraid this new package introduces some serious errors in software >that depends on this package. I have tested the new package on three >different Sarge machines with the following results. Please reproduce >using attached perl script. This bug jumped up and bit us too during testing, and it has been reported as bug #356810: http://bugs.debian.org/356810 so, it is now clear that it poses a serious problem for users, as it breaks the default behaviour. However, >Please remove the update from the security archive. ...it is not that simple. If you read the original advisory: http://www.securityfocus.com/archive/1/archive/1/425966/100/0/threaded you'll see that we have (indirectly) been relying on weak and deprecated behaviour. While this is not the sort of breakage you expect from stable, it underlines that security is not just about blindly upgrading packages. So, it is probably better to get a heads-up from something that breaks down than getting the heads up from someone who breaks in... :-) The problem in this case is that we don't know if it is serious: "The difficulty of breaking data encrypted using this flawed algorithm is unknown, but it should be assumed that all information encrypted in this way has been, or could someday be, compromised." Given that the upgrade certainly breaks stable, a DSA could have suggested the workaround as the correct path for sysadmins: "If using Crypt::CBC versions 2.16 and lower, pass the -salt=>1 option to Crypt::CBC->new()." I.e., say "you should do this now to upgrade your systems". Many users are likely to be bit by this upgrade, so, indeed, it may be a reasonable path to remove the security upgrade and instead suggest the workaround. Best, Kjetil -- Kjetil Kjernsmo Information Systems Developer Opera Software ASA
pgpQXF0ABTsYf.pgp
Description: PGP signature
