Bug#744351: matrixssl: Uterly old package, with many known security issues
On Sun, Apr 13, 2014 at 11:51:41AM +0200, Martin Quinson wrote: > Source: matrixssl > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > the version currently packaged in Debian is 5 years old, while many > security issues were fixed in the upstream package meanwhile. I came > to know the situation after reading the following research article: > https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf > > They showed that matrixssl is vulnerable to man-in-the-middle attacks > with v1 certificates (page 2). Indeed, a new version of matrixssl > (3.6.0) was released on april 9 to fix that issue. > > (the information is thus fully public already) > > But actually, since the currently packaged version is 1.8, released > back in 2009, I'm not completely sure of whether this perticular flaw > was already packaged at that time. > > In my mind, such an ancient "security"-related package is deceiving to > our users. I think that this package should either be updated, or > simply removed from the archive. But Jessie should not be released > with that as is. Agreed, the package is up for adoption since 2009 and noone stepped forward, so let's proceed with removal from the archive. Gerrit, ipvsd is the only reverse dependency. Can you fix it to use polarssl or a different SSL lib? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#744351: matrixssl: Uterly old package, with many known security issues
Source: matrixssl Severity: grave Tags: security Justification: user security hole Dear Maintainer, the version currently packaged in Debian is 5 years old, while many security issues were fixed in the upstream package meanwhile. I came to know the situation after reading the following research article: https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf They showed that matrixssl is vulnerable to man-in-the-middle attacks with v1 certificates (page 2). Indeed, a new version of matrixssl (3.6.0) was released on april 9 to fix that issue. (the information is thus fully public already) But actually, since the currently packaged version is 1.8, released back in 2009, I'm not completely sure of whether this perticular flaw was already packaged at that time. In my mind, such an ancient "security"-related package is deceiving to our users. I think that this package should either be updated, or simply removed from the archive. But Jessie should not be released with that as is. Bye, Mt. -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- La drogue était un milieu plutôt sain avant que le sport ne s'en mêle. signature.asc Description: Digital signature