On Sun, Apr 13, 2014 at 11:51:41AM +0200, Martin Quinson wrote:
> Source: matrixssl
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> the version currently packaged in Debian is 5 years old, while many
> security issues were fixed in the upstream package meanwhile. I came
> to know the situation after reading the following research article:
> https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
>
> They showed that matrixssl is vulnerable to man-in-the-middle attacks
> with v1 certificates (page 2). Indeed, a new version of matrixssl
> (3.6.0) was released on april 9 to fix that issue.
>
> (the information is thus fully public already)
>
> But actually, since the currently packaged version is 1.8, released
> back in 2009, I'm not completely sure of whether this perticular flaw
> was already packaged at that time.
>
> In my mind, such an ancient "security"-related package is deceiving to
> our users. I think that this package should either be updated, or
> simply removed from the archive. But Jessie should not be released
> with that as is.
Agreed, the package is up for adoption since 2009 and noone stepped forward,
so let's proceed with removal from the archive.
Gerrit, ipvsd is the only reverse dependency. Can you fix it to use
polarssl or a different SSL lib?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
