Re: [FOSS-Nepal] Re: OpenSSL bug
nepbabu
:
: Hi foss,
:
: The Debian policy (4.3 Changes to the upstream sources) gives absolute
: right to change but also tells that patches should be sent to the
: upstream authors in whatever the maintainer prefer! It doesn't specify
: that the patches should be sync only if changes are accepted by
: mainstream author. In this (now infamous OpenSSL) vulnerable changes
: were sent and only been in limited discussin with upsream. According
And it seems the upstream OpenSSL dev in context actually agreed to the Debian commit (since technically, they can't do much about a dd deciding on introducing a bug in debian version of OpenSSL package anyway). Sad. And since Ubuntu borrows packages from Debian, it too got sick.
: to Debian Wiki, The openssl team didn't raised any objection on the
: change but in reality it was not really accepted officially. It was
: just a workaround to supress valgrind warnings.
Afaik, that was the exact reason why the dd in context committed a code that actually did nothing to gather entropy needed by the prng implementation; instead, the dd just decided to suppress valgrind warnings by commenting (#ifndefin'g) out the code that was complaining. How smart!
: I was shocked for the sake of valgrind annoying msg (whatever debian
: tells you good about work around i don't care!) why they came up such
: stupid idea to change the md_rand.c. Why someone dare to change things
: which they really don't know what they are doing for?
Only $deity knows why one handles src like a c**d**m and futher I fail to understand why someone was given in-charge of handling such a critical code (wiki says misunderstanding but never mind.. *sigh* :-( ) That dd was supposed to communicate the changes back to the upstream or so I heard but it seems they never took him seriously or sth (for good since the impact was limited only to debian distribution & its derivatives!).
: The PRNG in Debian's openssl package is predictable and its a serious
: threat for all the debian or debian derive distros. The changes made
: on May 6th, 2006 and God knows there is 0-days exploits ready?
Afaik that it is. I've already patched my OpenSSL et. al for ubuntu & debian. Btw, this bug only affects the packages that relies on OpenSSL (calls the 'MD_Update(...)' inside libssl in any manner). Also, no :-), that does not include GPG (see the original post for more information). Just FYI, 0-day refers to the exploits that have no known patch available. Lastly, I see no reason otherwise to not patch it.
--------
Cheers,
Bikal KC (Please use: nepbababucxspamfree_at_yahoo DOT ca)
Journal: http://nepbabu.livejournal.com || pubkey: see header
"Rule 6: There is no Rule 6." - Rob Pike
"Those who can make you believe absurdities, can make you commit atrocities." - François-Marie Arouet