On mar., 2010-09-28 at 17:58 -0500, Jordon Bedwell wrote: > On 09/28/2010 03:04 PM, Marsh Ray wrote: > > On 09/24/2010 02:45 AM, Simon Josefsson wrote: > > But that's a choice made by Debian. Call it release policy, procedure, > > or whatever, Debian cannot use the existence of its own bureaucracy as a > > justification for wrong action (or inaction). > > > > Microsoft has implemented the correct fix for this security bug, > > Debian has not implemented the correct fix for this security bug. > > > > It intrigues me to know that even with a new stable coming soon we still > won't see a proper fix. With patches being available to vendors for so > long I'm starting to wonder why it wasn't on the to-do list from the > start as a /possible/ rerun and *must* fix on Squeeze.
Well, who uses gnuTLS as the server anyway? Afaik the secure renegotiation was especially a problem in https case, and mod_gnutls isn't really widely used. The vast majority of people out there would use mod_ssl, and openssl support for rfc 5746 has been added in 0.9.8m (http://packages.debian.org/changelogs/pool/main/o/openssl/current/changelog) which is indeed in testing and will be part of squeeze. I'm not too sure the patch for renegotiation is straightforward to backport and include in a stable release. So yes, the situation could be better, but it doesn't look as bad as this thread seems to imply. Cheers, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part