On Sun, May 24, 2026 at 07:27:12AM -0500, John Goerzen wrote: > Just to be very clear: the ideal release would have my patch, but I am > also fine with one that lacks it.
Is "my patch" the CVE-2025-68920 fix? My proposed update contains both the CVE fix and the removal of the OpenSSL version check, and if that looks good to you then I can upload it again. But if you have any objection to adding the CVE-2025-68920 fix in stable, then I can also prepare an update removing only the OpenSSL version check. > - John Thanks Adrian > On Sun, May 24 2026, John Goerzen wrote: > > > Hello, > > > > The OpenSSL version check should be removed in the Debian context. I > > patched it out in more recent versions of ckermit. It dates back to > > more disruptive changes that occurred in the OpenSSL 0.95 through 1.1 > > days and serves no useful purpose any more. > > > > As an operational matter, its practical effect is a useless warning; > > almost nobody ever used SSL for kermit connections and as far as I am > > aware of, nobody actively does. > > > > I disabled it with > > https://salsa.debian.org/debian/ckermit/-/commit/69f7da0c764a64b5aec39a78bbc184143aa4253b > > if that helps. > > > > - John
