Re: NetBSD Security Advisory 2010-002: OpenSSL TLS renegotiation man in the middle vulnerability

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Wed, Jan 13, 2010 at 09:02:50AM -0600, Jeremy C. Reed wrote:
> On Wed, 13 Jan 2010, NetBSD Security Officer wrote:
> 
> > Version:    NetBSD-current:         affected prior to 2009-12-04
> >             NetBSD 5.0:             affected
> >             NetBSD 4.0.*:           affected
> >             NetBSD 4.0:             affected
> >             pkgsrc:                 openssl package prior to x.y.z
> 
> What is "x.y.z" ? 0.9.8l ??

I'm concerned -- very concerned -- about the advice to upgrade to
0.9.8l.  OpenSSL 0.9.8l introduces an API/ABI incompatibility with
both 0.9.8k and 1.0/openssl-current, because they changed their minds
about how to control renegotiation but didn't update the 0.9.8l
release!

It will be a huge compatibility mess if many people start using 0.9.8l
with its unique API.

I think pkgsrc probably should switch to the openssl 1.0 branch at 
this time even though it is still technically "beta".

-- 
Thor Lancelot Simon                                    
tls%rek.tjls.com@localhost
  "All of my opinions are consistent, but I cannot present them all
   at once."    -Jean-Jacques Rousseau, On The Social Contract