Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
This is not quite correct, the script is shipped as
/usr/lib/ssl/misc/der_chop, together with some other auxiliary
scripts. Therefore I increase the severity.
I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.
severity 278260 grave
tag 278260 patch
thanks
Joey Hess [2004-10-25 16:00 -0400]:
> The der_chop script that is in the source only of openssl (not in any
> debs) is vulnerable to a file in /tmp security hole, according to
> CAN-2004-0975:
This is not quite correct, the script is shipped as ssl/misc/ der_chop, together with some other auxiliary
/usr/lib/
scripts. Therefore I increase the severity.
I prepared a patch for Ubuntu Warty and Hoary. The Hoary package is
the same version as in Debian Sid/Sarge, so the patch should apply
without problems. Just be sure to adapt the version number.
The patch is at
http:// patches. ubuntulinux. org/patches/ openssl. CAN-2004- 0975.diff
Please do not use the RedHat patch (with doing things like
`mktemp ..`
this is flawed and a bit too much overhead. The perl module File::Temp
is portable and works fine. Please also submit this patch upstream.
Thanks,
Martin
-- www.piware. de www.ubuntulinux .org www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://