[Secure-testing-team] Bug#744351: matrixssl: Uterly old package, with many known security issues
Martin Quinson
martin.quinson at loria.fr
Sun Apr 13 09:51:41 UTC 2014
Source: matrixssl
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
the version currently packaged in Debian is 5 years old, while many
security issues were fixed in the upstream package meanwhile. I came
to know the situation after reading the following research article:
https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
They showed that matrixssl is vulnerable to man-in-the-middle attacks
with v1 certificates (page 2). Indeed, a new version of matrixssl
(3.6.0) was released on april 9 to fix that issue.
(the information is thus fully public already)
But actually, since the currently packaged version is 1.8, released
back in 2009, I'm not completely sure of whether this perticular flaw
was already packaged at that time.
In my mind, such an ancient "security"-related package is deceiving to
our users. I think that this package should either be updated, or
simply removed from the archive. But Jessie should not be released
with that as is.
Bye, Mt.
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
La drogue était un milieu plutôt sain avant que le sport ne s'en mêle.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140413/cd0cf95b/attachment.sig>
More information about the Secure-testing-team
mailing list