In linux.debian.devel, you wrote: >> a lot of people bugged me about the new version and upstream only recommends >> this version. It also closes a grave security bug. > > Hm, that wasn't listed in the changelog. Anyway, there hasn't been a security > advisory about openssl recently, did you backport a patch to the sarge version > (and prefereably also, to the woody version) and informed the security team?
Christoph is probably referring to CAN-2005-2946 and bug #314465, which is about the fact that MD5 is the default digest algo in openssl. This bug has an inflated severity, it's not overly urgent. There have been several collision attacks on MD5 (i.e. you can create a foo/bar pair, which share a common hash), but no second preimage attacks have been demonstrated so far (i.e. creating a bar, which shares a hash with a given foo). Several exploits have been derived from the basic collision attacks, though, (google for Kaminski or Daum/Lucks for some cool demonstrations), but it's not as grave as it might appear. Upgrading to SHA-1 is still a good idea, of course, but no need to break things more than necessary. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]