Your message dated Sat, 31 Dec 2016 17:18:54 +0000
with message-id <[email protected]>
and subject line Bug#736687: fixed in openssl1.0 1.0.2j-5
has caused the Debian Bug report #736687,
regarding libssl1.0.0: default cipher list contains insecure ciphers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
736687: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736687
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl1.0.0
Version: 1.0.1f-1
Severity: important
Tags: security
The default cipher list for OpenSSL is not secure. It includes
low-strength and export ciphers, which should not be enabled unless
absolutely necessary. Other TLS implementations do not do this, and
neither should OpenSSL. This also forces every user of OpenSSL to
configure sensible defaults instead of doing it in one place.
An acceptable default would be HIGH:MEDIUM:!aNULL:!eNULL:!MD5.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libssl1.0.0 depends on:
ii cdebconf [debconf-2.0] 0.187
ii debconf [debconf-2.0] 1.5.52
ii libc6 2.17-97
ii multiarch-support 2.17-97
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information excluded
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: openssl1.0
Source-Version: 1.0.2j-5
We believe that the bug you reported is fixed in the latest version of
openssl1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl1.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 31 Dec 2016 14:09:16 +0100
Source: openssl1.0
Binary: libssl1.0.2 libssl1.0-dev libcrypto1.0.2-udeb libssl1.0.2-udeb
Architecture: source
Version: 1.0.2j-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Description:
libcrypto1.0.2-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl1.0-dev - Secure Sockets Layer toolkit - development files
libssl1.0.2 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.2-udeb - ssl shared library - udeb (udeb)
Closes: 736687 845945
Changes:
openssl1.0 (1.0.2j-5) unstable; urgency=medium
.
* Add myself as Uploader.
* Drop zlib1g-dev from libssl1.0-dev's deps (Closes: #845945).
* Mark RC4 and 3DES as weak which removes them from the SSL/TLS protocol
(Closes: #736687).
* Update Standards-Version, no change required.
* Drop asm support for X32 because the testsuite segfaults.
* Limit the watchfile to the 1.0.2x series.
* Redo rules file to newer debhelper syntax
* Add homepage filed
* Remove recommends for libssl-doc because the doc package from 1.1.0 is not
really matching the -dev package from 1.0.2
Checksums-Sha1:
56405db039ed3b8edae9c22f22245b9dd934c6d2 2562 openssl1.0_1.0.2j-5.dsc
563381527703ef85d2c8aae782149bba7c3afdb1 75756
openssl1.0_1.0.2j-5.debian.tar.xz
Checksums-Sha256:
1e081cce4a72c49f2753e5aa1be3df36b20e69c862245b4cb032646961ec30fe 2562
openssl1.0_1.0.2j-5.dsc
f07ae3d7ebb1bdccfc2a7c890363ee212fcda7e3d7729e263e23953d70394b23 75756
openssl1.0_1.0.2j-5.debian.tar.xz
Files:
b5f238be7ada84eef05d599b28b05a4d 2562 utils optional openssl1.0_1.0.2j-5.dsc
cc689c4954009469242be40d2058e3bc 75756 utils optional
openssl1.0_1.0.2j-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCgA2FiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAlhn46IYHHNlYmFzdGlh
bkBicmVha3BvaW50LmNjAAoJEHuW6BYqjPXRnL8P/jb24vEy9QuK9PN+kKvXz52h
5NPxd+Ux/Rtmu1glCCeySETmGnBhRf0zsfyilNrvFig/HNZBvHJ6kxcmq/rqPap8
1axHlH1clPUPR4tlh+cQt1vqAQ22kbEYViOpNULc5+3NqnDDaILBvxQKBmZ6Ij6G
SYwmqvTdlHKCi4NTxH35+78/qAk30MJHy8EK1YRG/DaC3cPSaZXZ4kQgYA8mkpeQ
hATTBOXzPNvQ+G5tVg4rm/pfpYR6ZsNzBQHl+PNCRCNeeGnI0FqKgEPwwSVdBwIP
rTFPnfpoPjU9hu1mekzgQe1vZVF+Pjdv1aeeJX92c1g83+chWCMxFlXAcEcIjPvw
t498+eEIUcGg8zjV5aUYP9RG8abt9rewy/LjIPhDXBs8kpUJdfBezE6XNPb+mszY
L9ClVNqb3aV2zQPCIkeD9EYoUYxKPHCOzUNXeEyU2oCA6H2iaJfJJvb0a/+elVoP
2vr7QomVxIa030FJW7Dbv2y/AmOZcbkEFTKPY4Jx/KzgqfwSQADt2C0/npSxqdsT
u0nVaChz0KcLs1Q9MFU8pr8D2yIPLr5ig4B8VY2acmXHbmk2s81jD2Vh0Fa4tAdj
srp6rp87l6hcj7vRS4BBN8mp/zCUnofBl5KCgfHcSjatwmUEl9NjiXNG+h3VBYac
q4fvhBpbXx1utbuosPZG
=Asay
-----END PGP SIGNATURE-----
--- End Message ---
