Package: curl Version: 7.52.1-3 Severity: important Dear Maintainer,
When establishing https connection X.509 certificates using md5RSA should be rejected and connection should be terminated. curl 7.52.1 can do that, when it's compiled against OpenSSL 1.1.0 and above. Attempts to establish connection with hosts using md5RSA certificate result in curl: (60) SSL certificate problem: CA signature digest algorithm too weak error in that case. OpenSSL 1.1.0 is already included in Debian Stretch, so curl should be compiled against new OpenSSL to solve this security issue. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (300, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages curl depends on: ii libc6 2.24-9 ii libcurl3 7.52.1-3 ii zlib1g 1:1.2.8.dfsg-5 curl recommends no packages. curl suggests no packages. -- no debconf information
