[Bug 493392] Re: Please merge Openssl 0.9.8k-6 from debian testing
Marc Deslauriers
marc.deslauriers at ubuntu.com
Mon Dec 7 03:12:44 GMT 2009
Warning: this is the version that has ssl renegotiation completely
disabled as a fix for CVE-2009-3555. This may break applications that we
support.
>From the openssl changelog:
*) Disable renegotiation completely - this fixes a severe security
problem at the cost of breaking all renegotiation. Renegotiation
can be re-enabled by setting
OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION at
compile-time. This is really not recommended.
[Ben Laurie]
This will probably break anything that uses DTLS, and postgresql.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-3555
--
Please merge Openssl 0.9.8k-6 from debian testing
https://bugs.launchpad.net/bugs/493392
You received this bug notification because you are a member of Ubuntu
Sponsors for main, which is a direct subscriber.
More information about the Ubuntu-main-sponsors
mailing list