Hi, just got around now to see this:
If you would not mind, I would also propose striking out the HeartBleed check from debian/rules in 3.0.x, to be able to install it on Debian 9. Otherwise, the dependencies are not satisfied, and Debian 9 refuses to install the packages. [...] -# Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160).
-ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
- SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)"
-else
- SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)"
-endif
That can't happen, sorry. The server must be secure, even if the underlying OS uses vulnerable versions of OpenSSL.
This is a non-issue, right? At least with Debian stable, the security team ususally fixes such vulnerabilities inside the code of an existing version and afterwards distributes the fixed source and binary with a specific sub-versioning (Ubuntu much the same, AFAIK). So this is what the above checks address in the most accurate way. E.g. with Debian 8 (Jessie) you have openssl 1.0.1t-1+deb8u6 which is way more modern than the version required by rules. BTW, they also have done exactly this quite recently to FR3.0.12, citing their Announcement: ----------- From Debian Security Announcements 2017-08-11 ----------------------- All those issues are covered by this single DSA, but it's worth noting that not all issues affect all releases: - CVE-2017-10978 and CVE-2017-10983 affect both jessie and stretch - CVE-2017-10979, CVE-2017-10980, CVE-2017-10981 and CVE-2017-10982 affect only jessie - CVE-2017-10984, CVE-2017-10985, CVE-2017-10986 and CVE-2017-10987 affect only stretch. For the oldstable distribution (jessie), these problems have been fixed in version 2.2.5+dfsg-0.2+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 3.0.12+dfsg-5+deb9u1. ---------------------------------------------------------------------------------- So they still distribute 3.0.12, but with everything fixed. This way of incorporating security-related bug fixes into source is interesting in a number of ways: - Sometimes it's simpler: For the TLS-Cache issue with 3.0.12, they simply changed the default config by removing the entire cache {} section from the eap config file. --> quick, simple, and non-disruptive (could only hamper performance in special cases) - For the fuzzing issues found in 3.0.14, they incorporated the fixes into their 3.0.12 source tree -- but it took them 11 days in this case. This includes extensive tests, though. So once the update is there, you can install it almost blindly. - Not everyone likes his sources changed "silently". This had lead to Mozilla forcing Debian to rename their security-patched version of Firefox to Iceweasel and Thunderbird to Icedove. cf. https://lwn.net/Articles/676799/ (this is about how the dispute was finally resolved) Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg