Hi all!
Sorry to be jumping in without preserving the In-Reply-To.
Allard Hoeve wrote:
I'm afraid this new package introduces some serious errors in software
that depends on this package. I have tested the new package on three
different Sarge machines with the following results. Please reproduce
using attached perl script.
This bug jumped up and bit us too during testing, and it has been
reported as bug #356810: http://bugs.debian.org/356810
so, it is now clear that it poses a serious problem for users, as it
breaks the default behaviour.
However,
Please remove the update from the security archive.
...it is not that simple. If you read the original advisory:
http://www.securityfocus.com/archive/1/archive/1/425966/100/0/threaded
you'll see that we have (indirectly) been relying on weak and
deprecated behaviour. While this is not the sort of breakage you expect
from stable, it underlines that security is not just about blindly
upgrading packages.
So, it is probably better to get a heads-up from something that breaks
down than getting the heads up from someone who breaks in... :-)
The problem in this case is that we don't know if it is serious:
The difficulty of breaking data encrypted using this flawed algorithm
is unknown, but it should be assumed that all information encrypted
in this way has been, or could someday be, compromised.
Given that the upgrade certainly breaks stable, a DSA could have
suggested the workaround as the correct path for sysadmins:
If using Crypt::CBC versions 2.16 and lower, pass the -salt=1 option
to Crypt::CBC-new().
I.e., say you should do this now to upgrade your systems.
Many users are likely to be bit by this upgrade, so, indeed, it may be a
reasonable path to remove the security upgrade and instead suggest the
workaround.
Best,
Kjetil
--
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA
pgpQXF0ABTsYf.pgp
Description: PGP signature
