Hi,
I just tripped across this same problem yesterday. Which modules is it?
I'd like to fix this for OpenVMS.
Paul
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of dalini
Sent: Thursday, October 14, 2004 7:17 PM
To: [EMAIL PROTECTED]
Subject: openssl 0.9.7d as an security risk
hi folks,
i'm not that familiar with your release policy and your definition of
security and security-risks but i have a real certain issue about 0.9.7d
as far as i understand the release policy there will be new releases for
openssl 0.9.7 only in case of security problems with the software and so
there will be bugfixes in cvs but no new releases untill a security
related problem gets fixed
you as the developers may be familiar with the current situation of
0.9.7d i guess, and therefore will know that the pkcs#7 part of openssl
0.9.7d is broken in the release but fixed (actually 10 days after it) in
the cvs branch of 0.9.7
as far as i understand, you don't consider the broken pkcs#7 not a
security risk or break in terms of openssl
thats the point, where i really get stuck on your definitions of
security, security risks and safty of operational systems, it is for me
quite wired to be honest...
so everybody who relies on pkcs#7 operations - and uses a openssl
version prior to 0.9.7d and will update, will just break of his whole
security infrastructure because he maybe does some suggested updates to
0.9.7d (becouse this fixes several security issues) and therefore will
kill themself instandly
of course, everybody should do tests before he upgrades sensetive parts
of its infrastructure and so on...
but a lot of current packages use openssl-0.9.7d since its the stable
version, so on new systems you always have to patch the 'stable' and
'working' openssl, also a lot of projects that relay on openssl as the
base library have to bring a huge ammount in support just to make users
clear - DONT USE 0.9.7d - because its broken per default on the pkcs#7
part... the point is, usaly everybody doesn't start to search for
failures at an as stable decleared part of software...
and so i really would like to see a new release of openssl 0.9.7 because
this is no trustable situation actually - since one can't relay on
openssl stable releases and therefore on all published packages from
distributions which may be use 0.9.7d
and i really can't undestand how you can spread a broken software, even
if it may be no security risk in the first view, but actually i would
call this a security risk
greetings
dalini
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
