Ubuntu
openssl package

CA.pl and openssl.cnf default to insecure MD5 digest

Bug #19835 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
openssl (Debian)
Fix Released
Unknown
openssl (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #314465 http://bugs.debian.org/314465

See original description
Revision history for this message
In , Christoph Martin (martin-uni-mainz) wrote : [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]

Hi folks,

can you please comment on this bug report I got via the Debian
bug-tracking system. This is the first time, that I heard someone saying
that the theoretical weekness of md5 is a real security hole.

Christoph
--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

Package: openssl
Version: 0.9.7e-3
Severity: grave
Tags: security
Justification: user security hole

openssl.cnf defaults to usage of MD5 as digest algorithm for generation
of certificates and CAs. MD5 must be considered broken beyond hope,
we're not just talking about theoretical attacks, but attacks feasible
for everybody. X.509 keys with colliding checksums (and thus false
certificates) have been shown. See:

http://www.cits.rub.de/MD5Collisions/

for another example.

Unfortunately, there seem to be problems with RIPEMD160 in practice
(e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
the only reasonable choice at the moment is SHA-1, even though SHA-1 has
been theoretically weakend already, and RIPEMD160 would be preferable.
I suggest adding

default_md: sha-1

in the req and ca sections of openssl.cnf, and talking the upstream
maintainers into supporting SHA-384 or SHA-512.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssl depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries

-- no debconf information

Revision history for this message
In , Christoph Martin (martin-uni-mainz) wrote : [Fwd: [openssl.org #1128] [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]]

--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

The default digest in 0.9.8 and the cvs head is SHA-1
(we didn't change 0.9.7 as we didn't want to break existing
implementations depending on the default digest being MD5).
About SHA-256 etc. : they are included in the soon to
appear 0.9.8.

Cheers,
Nils

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #314465 http://bugs.debian.org/314465

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 16 Jun 2005 15:04:29 +0200
From: Andreas Bogk <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CA.pl and openssl.cnf default to insecure MD5 digest

Package: openssl
Version: 0.9.7e-3
Severity: grave
Tags: security
Justification: user security hole

openssl.cnf defaults to usage of MD5 as digest algorithm for generation
of certificates and CAs. MD5 must be considered broken beyond hope,
we're not just talking about theoretical attacks, but attacks feasible
for everybody. X.509 keys with colliding checksums (and thus false
certificates) have been shown. See:

http://www.cits.rub.de/MD5Collisions/

for another example.

Unfortunately, there seem to be problems with RIPEMD160 in practice
(e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
the only reasonable choice at the moment is SHA-1, even though SHA-1 has
been theoretically weakend already, and RIPEMD160 would be preferable.
I suggest adding

default_md: sha-1

in the req and ca sections of openssl.cnf, and talking the upstream
maintainers into supporting SHA-384 or SHA-512.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssl depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries

-- no debconf information

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (6.3 KiB)

Message-ID: <email address hidden>
Date: Wed, 22 Jun 2005 14:20:51 +0200
From: Christoph Martin <email address hidden>
To: <email address hidden>
CC: <email address hidden>
Subject: [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]

--------------enigAC5FE4DF5083A6A17B776F12
Content-Type: multipart/mixed;
 boundary="------------030205020607040602040209"

This is a multi-part message in MIME format.
--------------030205020607040602040209
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi folks,

can you please comment on this bug report I got via the Debian
bug-tracking system. This is the first time, that I heard someone saying
that the theoretical weekness of md5 is a real security hole.

Christoph
--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------030205020607040602040209
Content-Type: message/rfc822; name="Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest"

Return-Path: <email address hidden>
Received: from mailgate1.zdv.Uni-Mainz.DE (mailgate1.zdv.Uni-Mainz.DE [134.93.178.129])
 by wintermute.verwaltung.uni-mainz.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id j5GDNEi5009442
 for <email address hidden>; Thu, 16 Jun 2005 15:23:14 +0200
Received: from exfront01.zdv.uni-mainz.de (exfront01.zdv.Uni-Mainz.DE [134.93.176.49])
 by mailgate1.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 97F81300085F
 for <email address hidden>; Thu, 16 Jun 2005 15:23:14 +0200 (CEST)
Received: from spamgate1.zdv.Uni-Mainz.DE ([134.93.177.65]) by exfront01.zdv.uni-mainz.de with
 Microsoft SMTPSVC(6.0.3790.211); Thu, 16 Jun 2005 15:23:14 +0200
Received: from mailgate2.zdv.Uni-Mainz.DE (mailgate2.zdv.Uni-Mainz.DE [134.93.178.130])
 by spamgate1.zdv.Uni-Mainz.DE (8.12.10/8.12.2) with ESMTP id j5GDN7gQ012238
 for <email address hidden>; Thu, 16 Jun 2005 15:23:08 +0200 (MEST)
Received: from spohr.debian.org (spohr.debian.org [140.211.166.43])
 by mailgate2.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 6D8833000393
 for <email address hidden>; Thu, 16 Jun 2005 15:23:07 +0200 (CEST)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
 id 1DiuFu-00070o-00; Thu, 16 Jun 2005 06:18:02 -0700
X-Loop: <email address hidden>
Subject: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest
Reply-To: Andreas Bogk <email address hidden>, <email address hidden>
Resent-From: Andreas Bogk <email address hidden>
Resent-To: <email address hidden>
Resent-CC: Christoph Martin <email address hidden>
Resent-Date: Thu, 16 Jun 2005 13:18:01 UTC
Resent-Message-ID: <email address hidden>
X-Debian-PR-Message: report 314465
X-Debian-PR-Package: openssl
X-Debian-PR-Keywords: security
Received: via spool by <email address hidden> id=B.111892713712913
 ...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.4 KiB)

Message-ID: <email address hidden>
Date: Thu, 23 Jun 2005 10:32:34 +0200
From: Christoph Martin <email address hidden>
To: <email address hidden>
Subject: [Fwd: [openssl.org #1128] [Fwd: Bug#314465: CA.pl and openssl.cnf
 default to insecure MD5 digest]]

--------------enig6DC41261DF035C1F4297DD86
Content-Type: multipart/mixed;
 boundary="------------030601030707060407020701"

This is a multi-part message in MIME format.
--------------030601030707060407020701
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

--
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------030601030707060407020701
Content-Type: message/rfc822;
 name="[openssl.org #1128] [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecureMD5
 digest]"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="[openssl.org #1128] [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecureMD5
 digest]"

Return-Path: <email address hidden>
Received: from mailgate2.zdv.Uni-Mainz.DE (mailgate2.zdv.Uni-Mainz.DE [134.93.178.130])
 by wintermute.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP id j5N7Q617021122
 for <email address hidden>; Thu, 23 Jun 2005 09:26:06 +0200
Received: from exfront01.zdv.uni-mainz.de (exfront01.zdv.Uni-Mainz.DE [134.93.176.49])
 by mailgate2.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 74C173000639
 for <email address hidden>; Thu, 23 Jun 2005 09:26:06 +0200 (CEST)
Received: from spamgate2.zdv.Uni-Mainz.DE ([134.93.177.66]) by exfront01.zdv.uni-mainz.de with
 Microsoft SMTPSVC(6.0.3790.211); Thu, 23 Jun 2005 09:26:06 +0200
Received: from mailgate1.zdv.Uni-Mainz.DE (mailgate1.zdv.Uni-Mainz.DE [134.93.178.129])
 by spamgate2.zdv.Uni-Mainz.DE (8.12.10/8.12.2) with ESMTP id j5N7Q1C8013565
 for <email address hidden>; Thu, 23 Jun 2005 09:26:01 +0200 (MEST)
Received: from serv01.aet.tu-cottbus.de (serv01.aet.TU-Cottbus.De [141.43.132.161])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mailgate1.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 3FC433000FEC
 for <email address hidden>; Thu, 23 Jun 2005 09:26:01 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by serv01.aet.tu-cottbus.de (Postfix) with ESMTP id 9D6F82C5F;
 Thu, 23 Jun 2005 09:25:56 +0200 (METDST)
Received: by serv01.aet.tu-cottbus.de (Postfix, from userid 29999)
 id 8784A2C58; Thu, 23 Jun 2005 09:25:52 +0200 (METDST)
X-RT-Loop-Prevention: openssl.org
Message-Id: <email address hidden>
Subject: [openssl.org #1128] [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]
In-Reply-To: <email address hidden>
Managed-BY: RT 2.0.15 (http://bestpractical.com/rt/)
From: "Nils Larsch via RT" <email address hidden>
RT-Ticket: openssl.org #1128
X-Mailer: Perl5 Mail::Internet v1.33
Reply-To: <email address hidden>
Precedence: bulk
RT-Originator: <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Sender: <pos...

Read more...

Revision history for this message
Martin Pitt (pitti) wrote :

It is still not entirely clear how much would break if we change the default. We
should do this in Breezy for now and wait a bit before changing this in stables
(if it is required at all).

Revision history for this message
Martin Pitt (pitti) wrote :

 openssl (0.9.7g-1ubuntu1) breezy; urgency=low
 .
   * apps/openssl.cnf: Change CA and req default message digest algorithm to
     SHA-1 since MD5 is deemed insecure. (Ubuntu #13593)

Leaving open as a reminder to check if we really need to fix this in stables.

Revision history for this message
Martin Pitt (pitti) wrote :

stables fixed in USN-179-1.

Revision history for this message
In , Christoph Martin (martin-uni-mainz) wrote : Re: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest

severity 314465 important
quit

Version 0.9.8 will fix this bug. The defautl will be SHA1 and SHA-256
etc. will be included.

I downgrade the severity temporarily to important to allow Version 0.9.7
to enter testing before I upload the new upstream 0.9.8.

Christoph

Andreas Bogk schrieb:
> Package: openssl
> Version: 0.9.7e-3
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> openssl.cnf defaults to usage of MD5 as digest algorithm for generation
> of certificates and CAs. MD5 must be considered broken beyond hope,
> we're not just talking about theoretical attacks, but attacks feasible
> for everybody. X.509 keys with colliding checksums (and thus false
> certificates) have been shown. See:
>
> http://www.cits.rub.de/MD5Collisions/
>
> for another example.
>
> Unfortunately, there seem to be problems with RIPEMD160 in practice
> (e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
> the only reasonable choice at the moment is SHA-1, even though SHA-1 has
> been theoretically weakend already, and RIPEMD160 would be preferable.
> I suggest adding
>
> default_md: sha-1
>
> in the req and ca sections of openssl.cnf, and talking the upstream
> maintainers into supporting SHA-384 or SHA-512.
>
> -- System Information:
> Debian Release: 3.1
> Architecture: i386 (i686)
> Kernel: Linux 2.6.8-2-686
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
>
> Versions of packages openssl depends on:
> ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
> ii libssl0.9.7 0.9.7e-3 SSL shared libraries
>
> -- no debconf information

--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 14 Sep 2005 10:13:50 +0200
From: Christoph Martin <email address hidden>
To: Andreas Bogk <email address hidden>, <email address hidden>
CC: <email address hidden>
Subject: Re: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest

--------------enigBD1D1B39E26B2E9D00FD31DB
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

severity 314465 important
quit

Version 0.9.8 will fix this bug. The defautl will be SHA1 and SHA-256
etc. will be included.

I downgrade the severity temporarily to important to allow Version 0.9.7
to enter testing before I upload the new upstream 0.9.8.

Christoph

Andreas Bogk schrieb:
> Package: openssl
> Version: 0.9.7e-3
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> openssl.cnf defaults to usage of MD5 as digest algorithm for generation
> of certificates and CAs. MD5 must be considered broken beyond hope,
> we're not just talking about theoretical attacks, but attacks feasible
> for everybody. X.509 keys with colliding checksums (and thus false
> certificates) have been shown. See:
>
> http://www.cits.rub.de/MD5Collisions/
>
> for another example.
>
> Unfortunately, there seem to be problems with RIPEMD160 in practice
> (e.g. the Debian Thunderbird package doesn't understand RIPEMD160). So
> the only reasonable choice at the moment is SHA-1, even though SHA-1 has
> been theoretically weakend already, and RIPEMD160 would be preferable.
> I suggest adding
>
> default_md: sha-1
>
> in the req and ca sections of openssl.cnf, and talking the upstream
> maintainers into supporting SHA-384 or SHA-512.
>
> -- System Information:
> Debian Release: 3.1
> Architecture: i386 (i686)
> Kernel: Linux 2.6.8-2-686
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
>
> Versions of packages openssl depends on:
> ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
> ii libssl0.9.7 0.9.7e-3 SSL shared libraries
>
> -- no debconf information

--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------enigBD1D1B39E26B2E9D00FD31DB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDJ9u+geVih7XOVJcRAmQHAJ9eCL0w2zs7Mbr4ZNvBqzu75MDfqgCfXZmS
6c4Fpu0u4l0HzSFt2KQaiH4=
=a0+r
-----END PGP SIGNATURE-----

--------------enigBD1D1B39E26B2E9D00FD31DB--

Revision history for this message
In , Kurt Roeckx (kurt-roeckx) wrote :

Can this be closed now that 0.9.8 has made it to the archive?

Kurt

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 1 Nov 2005 20:51:13 +0100
From: Kurt Roeckx <email address hidden>
To: <email address hidden>
Subject: Re: CA.pl and openssl.cnf default to insecure MD5 digest

Can this be closed now that 0.9.8 has made it to the archive?

Kurt

Revision history for this message
In , Christoph Martin (martin-uni-mainz) wrote : Re: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest

Hi Kurt,

Kurt Roeckx schrieb:
> Can this be closed now that 0.9.8 has made it to the archive?

I don't think so. The bug is still present in sarge and will not be
fixed. It should stay open until sarge is obsolete and should have a tag
sarge and wontfix.

Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 02 Nov 2005 09:38:59 +0100
From: Christoph Martin <email address hidden>
To: <email address hidden>,
 "Package Development List for OpenSSL packages." <email address hidden>
Subject: Re: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf default
 to insecure MD5 digest

--------------enig5C4FEC587C8B36A2C312EF01
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi Kurt,

Kurt Roeckx schrieb:
> Can this be closed now that 0.9.8 has made it to the archive?

I don't think so. The bug is still present in sarge and will not be
fixed. It should stay open until sarge is obsolete and should have a tag
sarge and wontfix.

Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------enig5C4FEC587C8B36A2C312EF01
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDaHsogeVih7XOVJcRApptAJ9r4HFkZSslc0AwXmOmDjCAg2ROkACfUlnV
7IrPDeHv2oiQBvafYJBsNr8=
=cZE3
-----END PGP SIGNATURE-----

--------------enig5C4FEC587C8B36A2C312EF01--

Revision history for this message
In , Kurt Roeckx (kurt-roeckx) wrote : Re: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest

On Wed, Nov 02, 2005 at 09:38:59AM +0100, Christoph Martin wrote:
> Hi Kurt,
>
> Kurt Roeckx schrieb:
> > Can this be closed now that 0.9.8 has made it to the archive?
>
> I don't think so. The bug is still present in sarge and will not be
> fixed. It should stay open until sarge is obsolete and should have a tag
> sarge and wontfix.

The proper way to do this would be to close it with the proper
version. It will still be marked as existing in sarge.

Kurt

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 2 Nov 2005 17:50:50 +0100
From: Kurt Roeckx <email address hidden>
To: Christoph Martin <email address hidden>, <email address hidden>,
 "Package Development List for OpenSSL packages." <email address hidden>
Subject: Re: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf default to insecure
 MD5 digest

On Wed, Nov 02, 2005 at 09:38:59AM +0100, Christoph Martin wrote:
> Hi Kurt,
>
> Kurt Roeckx schrieb:
> > Can this be closed now that 0.9.8 has made it to the archive?
>
> I don't think so. The bug is still present in sarge and will not be
> fixed. It should stay open until sarge is obsolete and should have a tag
> sarge and wontfix.

The proper way to do this would be to close it with the proper
version. It will still be marked as existing in sarge.

Kurt

Revision history for this message
In , Christoph Martin (martin-uni-mainz) wrote : [Fwd: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]

version 0.9.8-1

--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

On Wed, Nov 02, 2005 at 09:38:59AM +0100, Christoph Martin wrote:
> Hi Kurt,
>
> Kurt Roeckx schrieb:
> > Can this be closed now that 0.9.8 has made it to the archive?
>
> I don't think so. The bug is still present in sarge and will not be
> fixed. It should stay open until sarge is obsolete and should have a tag
> sarge and wontfix.

The proper way to do this would be to close it with the proper
version. It will still be marked as existing in sarge.

Kurt

_______________________________________________
Pkg-openssl-devel mailing list
<email address hidden>
http://lists.alioth.debian.org/mailman/listinfo/pkg-openssl-devel

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (7.2 KiB)

Message-ID: <email address hidden>
Date: Thu, 03 Nov 2005 09:35:59 +0100
From: Christoph Martin <email address hidden>
To: <email address hidden>
Subject: [Fwd: Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf
 default to insecure MD5 digest]

--------------enig75D9DBF46314362351D48085
Content-Type: multipart/mixed;
 boundary="------------040409040308090800070506"

This is a multi-part message in MIME format.
--------------040409040308090800070506
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

version 0.9.8-1

--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail: <email address hidden>
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

--------------040409040308090800070506
Content-Type: message/rfc822;
 name="Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and openssl.cnf defaultto insecure
 MD5 digest"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="Bug#314465: [Pkg-openssl-devel] Bug#314465: CA.pl and
 openssl.cnf defaultto insecure MD5 digest"

Return-Path: <email address hidden>
Received: from mailgate1.zdv.Uni-Mainz.DE (mailgate1.zdv.Uni-Mainz.DE [134.93.178.129])
 by wintermute.verwaltung.uni-mainz.de (8.13.4/8.13.4/Debian-3) with ESMTP id jA2KSNh0028153
 for <email address hidden>; Wed, 2 Nov 2005 21:28:23 +0100
Received: from exfront01.zdv.Uni-Mainz.DE (exfront01.zdv.Uni-Mainz.DE [134.93.176.49])
 by mailgate1.zdv.Uni-Mainz.DE (Postfix) with ESMTP id 05D333000588
 for <email address hidden>; Wed, 2 Nov 2005 21:28:22 +0100 (CET)
Received: from spamgate01.zdv.uni-mainz.de ([134.93.177.67]) by exfront01.zdv.Uni-Mainz.DE with
 Microsoft SMTPSVC(6.0.3790.1830); Wed, 2 Nov 2005 21:16:05 +0100
Received: from haydn.debian.org ([192.25.206.28])
 by spamgate01.zdv.uni-mainz.de with ESMTP; 02 Nov 2005 21:16:05 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AAAAAL+saEOCKYNkAQEBAQEGBAYHAxtD
X-IronPort-AV: i="3.97,283,1125871200";
   d="scan'208"; a="2608164:sNHT20050975"
Received: from localhost ([127.0.0.1]:56558 helo=haydn.debian.org)
 by haydn.debian.org with esmtp (Exim 4.50)
 id 1EXP1Z-0000pZ-7h; Wed, 02 Nov 2005 20:16:01 +0000
Received: from spohr.debian.org ([140.211.166.43]:40311 ident=mail)
 by haydn.debian.org with esmtp (Exim 4.50) id 1EXP1T-0000p6-MG
 for <email address hidden>; Wed, 02 Nov 2005 20:15:53 +0000
Received: from debbugs by spohr.debian.org with local (Exim 3.36 1 (Debian))
 id 1EXP1S-0006wT-00; Wed, 02 Nov 2005 12:15:50 -0800
X-Loop: <email address hidden>
Resent-From: Kurt Roeckx <email address hidden>
Resent-To: <email address hidden>
Resent-CC: Debian OpenSSL Team <email address hidden>
Resent-Date: Wed, 02 Nov 2005 20:15:49 UTC
Resent-Message-ID: <email address hidden>
X-Debian-PR-Message: report 314465
X-Debian-PR-Package: openssl
X-Debian-PR-Keywords: security
Received: via spool by <email address hidden> id=B314465.11309502539421...

Read more...

Revision history for this message
In , Kurt Roeckx (kurt-roeckx) wrote :

reopen 314465
close 314465 0.9.8-1
thanks

It seems you've used "version 0.9.8-1", intead of
"Version: 0.9.8-1". It wasn't marked as fixed in 0.9.8-1.

Kurt

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 3 Nov 2005 18:02:15 +0100
From: Kurt Roeckx <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: CA.pl and openssl.cnf default to insecure MD5 digest

reopen 314465
close 314465 0.9.8-1
thanks

It seems you've used "version 0.9.8-1", intead of
"Version: 0.9.8-1". It wasn't marked as fixed in 0.9.8-1.

Kurt

Revision history for this message
IronPort Encryption Gateway (unlockiphonehq) wrote :

<a href="http://www.ironport.com/products/ironport_encryption.html">IronPort Encryption Gateway</a><br>The IronPort Encryption Appliance is the most comprehensive email encryption gateway on the market.<br><br>

Revision history for this message
IronPort Encryption Gateway (unlockiphonehq) wrote :

The IronPort Encryption Appliance is the most comprehensive email encryption gateway on the market.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.