Debian OpenSSL vulnerability

Robert Connolly robert at
Mon Jun 2 18:06:55 PDT 2008

No, HLFS never used the modification Debian used on OpenSSL to cause this 
entropy vulnerability.

This bug began with a false positive from Valgrind/Purify-like code checker 
software, and was eagerly fixed by the Debian maintainers with the best of 
intentions. In hindsight, this modification should have been sent to the 
OpenSSL group as a bugfix, where it should have been properly reviewed and 
found to be a false positive.

HLFS has done what it can to prevent this sort of bug from occurring. A while 
ago I started documenting patches, sending them upstream to developers for 
review so they could give constructive feedback (this doesn't always happen, 
but it shouldn't stop us from trying). So whether the patch is accepted or 
rejected, it will hopefully get looked at by someone with a different 
perspective. Furthermore, the modifications HLFS has on OpenSSL indisputably 
increase available entropy. The HLFS modifications to OpenSSL do not change 
any code, they enable additional code intended for OpenBSD to increase 
available entropy sources.

I have always been very carefull with changes the OpenSSL package because I 
too do not want keys I make today to be vulnerable ten years from now.

One day the shoe may be on the other foot. This bug was caused by the best of 
intentions on Debian's part, and I sincerely hope they do not become 
discouraged by it.


On Monday June 2 2008 12:15:57 pm Aki Tuomi wrote:
> Is HLFS in any way affected by this?
> Aki Tuomi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list