Debian OpenSSL vulnerability
robert at linuxfromscratch.org
Mon Jun 2 18:06:55 PDT 2008
No, HLFS never used the modification Debian used on OpenSSL to cause this
This bug began with a false positive from Valgrind/Purify-like code checker
software, and was eagerly fixed by the Debian maintainers with the best of
intentions. In hindsight, this modification should have been sent to the
OpenSSL group as a bugfix, where it should have been properly reviewed and
found to be a false positive.
HLFS has done what it can to prevent this sort of bug from occurring. A while
ago I started documenting patches, sending them upstream to developers for
review so they could give constructive feedback (this doesn't always happen,
but it shouldn't stop us from trying). So whether the patch is accepted or
rejected, it will hopefully get looked at by someone with a different
perspective. Furthermore, the modifications HLFS has on OpenSSL indisputably
increase available entropy. The HLFS modifications to OpenSSL do not change
any code, they enable additional code intended for OpenBSD to increase
available entropy sources.
I have always been very carefull with changes the OpenSSL package because I
too do not want keys I make today to be vulnerable ten years from now.
One day the shoe may be on the other foot. This bug was caused by the best of
intentions on Debian's part, and I sincerely hope they do not become
discouraged by it.
On Monday June 2 2008 12:15:57 pm Aki Tuomi wrote:
> Is HLFS in any way affected by this?
> Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the hlfs-dev