CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

On 19.04.2012 17:17, Philipp Gühring wrote:
> I think CAcert is directly affected by this bug, and we should upgrade to
> the OpenSSL 1.0.1a immediately. If we want to wait for Debian packages,
> then we should turn off the webdb until Debian packages are available.
> 
> http://openssl.org/news/
> http://openssl.org/news/secadv_20120419.txt

The critical sysadmin team has studied the OpenSSL security advisory last
night, and determined that it would be prudent to install a patched version
of OpenSSL as soon as possible, but that it would be overkill to turn off
the webdb service during the time needed to create/acquire and evaluate a
patch. After that we started working on building an update from the new
OpenSSL source directly via the Debian packaging tools, but this approach
turned out to be full of problematic issues, thus blocking a working patch.
With the release of an official patch from Debian for the Squeeze release,
our work became much simpler: we have evaluated the suitability of this
patch for the current Debian Lenny environment of the webdb server, and
determined that it could be installed successfully without problems.
So the patch has been activated on the webdb server at April 20, 8:25 GMT.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature