Your message dated Fri, 6 May 2016 14:37:14 +0200
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#779669: OpenSSL: consider
completely disabling EXPORT cipher suites
has caused the Debian Bug report #779669,
regarding OpenSSL: consider completely disabling EXPORT cipher suites
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
779669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779669
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl1.0.0
Version: 1.0.1k-1
Severity: normal
Dear Maintainer,
CVE-2015-0204 [1] happened because OpenSSL still had code supporting export
cipher suites.
LibreSSL has disabled the use of export cipher suites [2] and all the code
relating to use of export RSA [3]
Although I'd much rather replace OpenSSL with LibreSSL on my box, it is not
ready yet for Jessie or unstable even [4], so meantime
can you consider disabling the export suites in OpenSSL like LibreSSL did, and
like you've done for SSLv3?
Perhaps something to discuss with upstream to provide a flag for that, although
maybe the correct thing to do would be to remove that code from upstream as
well.
[1]
https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0
[2] https://github.com/libressl-
portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d
[3] https://github.com/libressl-
portable/openbsd/commit/b0a3dc11e2f40da00441447a359ed16e8c578e44
[4] https://github.com/libressl-
portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libssl1.0.0 depends on:
ii debconf [debconf-2.0] 1.5.55
ii libc6 2.19-15
ii multiarch-support 2.19-15
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information:
libssl1.0.0/restart-services:
libssl1.0.0/restart-failed:
--- End Message ---
--- Begin Message ---
fixed 779669 1.0.1k-3+deb8u4
fixed 779669 1.0.2g-1
fixed 779669 1.0.1e-2+deb7u20
thanks
On Tue, Mar 03, 2015 at 10:45:41PM +0200, Török Edwin wrote:
> Package: libssl1.0.0
> Version: 1.0.1k-1
> Severity: normal
>
> Dear Maintainer,
>
> CVE-2015-0204 [1] happened because OpenSSL still had code supporting export
> cipher suites.
> LibreSSL has disabled the use of export cipher suites [2] and all the code
> relating to use of export RSA [3]
Support for export and low ciphers has been removed earlier. They were
also already disabled by default earlier.
Kurt
--- End Message ---
