package: ircd-hybrid version: 1:7.2.2.dfsg.2-10 tags: security patch Control: fixed -1 1:8.0.4.dfsg.1-1
So I looked how to disable SSLv3 in ircd-hybrid and didn't find anything. It seems that in the v8 version they disable SSLv2 and SSLv3 while in the v7 version they only disable SSLv2. I applied the change at the bottom of this mail to disable SSLv3 in the v7 version which is currently in Wheezy. Giving the fact that one should disable SSLv3 and that this package has to be manually recompiled in order to enable SSL at all - how are the chances that an update hits Wheezy? :) diff --git a/src/ircd.c b/src/ircd.c --- a/src/ircd.c +++ b/src/ircd.c @@ -512,7 +512,7 @@ init_ssl(void) ilog(L_CRIT, "ERROR: Could not initialize the SSL context -- %s\n", s); } - SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_TLS_ROLLBACK_BUG|SSL_OP_ALL); SSL_CTX_set_verify(ServerInfo.ctx, SSL_VERIFY_NONE, NULL); -- 1.7.10.4 Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org