Did you restart after the update? It may be necessary for BOINC to update the curl/openssl link.
That did it. Pardon my ignorance, but I couldn't easily figure out how to restart the boinc client, so I just rebooted the system. As soon as I tried a project update it grabbed a couple new tasks.
Are there any possible security risks with holding back this package? Will the package eventually be updated to fix the problem on Debian and Raspbian?
The Maintainer of the package is working on an update but it there is a systematic problem as it was never anticipated to include a removed certificate again. A security risk is that you have several 1024bit certificates on your computer that use a weak signature. As far as I know there are no attacks going on right now that are aimed at websites using 1024bit certificates. As soon as that is the case we will re-evaluate our advise.
A new openssl version (that has a fix for this problem) is already accepted into stable proposed updates. It shouldn't be long until this is available in the normal stable repository.
I was informed that with the update to Debian Jessie 8.5 on June 4th a new OpenSSL version was introduced that fixes the problem with certificate validation. You can now unhold the ca-certificates package and update to 8.5 like this:
Did you restart after the
)
Did you restart after the update? It may be necessary for BOINC to update the curl/openssl link.
RE: Did you restart after
)
That did it. Pardon my ignorance, but I couldn't easily figure out how to restart the boinc client, so I just rebooted the system. As soon as I tried a project update it grabbed a couple new tasks.
Are there any possible
)
Are there any possible security risks with holding back this package? Will the package eventually be updated to fix the problem on Debian and Raspbian?
The Maintainer of the package
)
The Maintainer of the package is working on an update but it there is a systematic problem as it was never anticipated to include a removed certificate again. A security risk is that you have several 1024bit certificates on your computer that use a weak signature. As far as I know there are no attacks going on right now that are aimed at websites using 1024bit certificates. As soon as that is the case we will re-evaluate our advise.
A new openssl version (that
)
A new openssl version (that has a fix for this problem) is already accepted into stable proposed updates. It shouldn't be long until this is available in the normal stable repository.
Thanks for the update!
)
Thanks for the update!
I was informed that with the
)
I was informed that with the update to Debian Jessie 8.5 on June 4th a new OpenSSL version was introduced that fixes the problem with certificate validation. You can now unhold the ca-certificates package and update to 8.5 like this: