possible SSL compromise

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

possible SSL compromise

Hendrik Boom-2
I've just heard about a potential vulnerability in OpenSSL.  See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 for the Debian
version of this problem.

In particular, the message states

all
keys used with vulnerable processes will need to be replaced both in
Debian infrastructure and by all users of this package.

I'm wondering whether monotone use is affected by this problem.  I
don't know if it even uses OpenSSL or some other signature mechanism.

-- hendrik


_______________________________________________
Monotone-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monotone-devel
Reply | Threaded
Open this post in threaded view
|

Re: possible SSL compromise

Zbigniew Zagórski
Hello,

On Tue, Apr 8, 2014 at 9:25 PM, Hendrik Boom <[hidden email]> wrote:

>
> I've just heard about a potential vulnerability in OpenSSL.  See
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 for the Debian
> version of this problem.
>
> In particular, the message states
>
> all
> keys used with vulnerable processes will need to be replaced both in
> Debian infrastructure and by all users of this package.
>
> I'm wondering whether monotone use is affected by this problem.

Monotone doesn't use TLS and thus openssl implemtentation of TLS and the
bug in question specific to TLS _extension implementation_ in openssl.
This is "plain old" buffer overrun, or in this case buffer "overrun" ... [1]

> I don't know if it even uses OpenSSL

No, it uses botan but only for primitive crypto methods. Monotone's netsync
protocol and it's implementation has other ... yet unknown bugs :)

[1] thorough bug analyssis for curious:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

--
Zbigniew Zagórski
/ software developer / geek / http://zbigg.blogspot.com /

_______________________________________________
Monotone-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monotone-devel
Reply | Threaded
Open this post in threaded view
|

Re: possible SSL compromise

Hendrik Boom-2
On Wed, Apr 09, 2014 at 08:42:18AM +0200, Zbigniew Zagórski wrote:

> Hello,
>
> On Tue, Apr 8, 2014 at 9:25 PM, Hendrik Boom <[hidden email]> wrote:
> >
> > I've just heard about a potential vulnerability in OpenSSL.  See
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 for the Debian
> > version of this problem.
> >
> > In particular, the message states
> >
> > all
> > keys used with vulnerable processes will need to be replaced both in
> > Debian infrastructure and by all users of this package.
> >
> > I'm wondering whether monotone use is affected by this problem.
>
> Monotone doesn't use TLS and thus openssl implemtentation of TLS and the
> bug in question specific to TLS _extension implementation_ in openssl.
> This is "plain old" buffer overrun, or in this case buffer "overrun" ... [1]

Good.  One less thing to worry  about resecuring.

-- hendrik

_______________________________________________
Monotone-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monotone-devel