[arch-general] Heads up: If you are using SSLv2 turn it off immediately

[P . A . López-Valencia]

If you are have a web server facing the public internet, turn off SSLv2 
immediately. OpenSSL 1.0.2g has the fix but it will take a while to drip 
down to the repos as it brings with it an ABI change.

The vulnerability is so bad[1], it doesn't only have a CVE number, 
CVE-2016-0800[4], but a name and its own website: HTTPS DROWN[1][2][3]. 
One third of all public web servers are open to attack[2][3] and OpenSSL 
may not be the only crypto library affected[1][4].



[1] http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/

[2] http://www.theregister.co.uk/2016/03/01/drown_crypto_flaw_analysis/

[3] https://drownattack.com/#paper

[4] https://access.redhat.com/security/cve/cve-2016-0800

-- 
Pedro A. López-Valencia
http://about.me/palopezv/
Recession is when a neighbor loses his job. Depression is when you lose 
yours. -Ronald Reagan

Re: [arch-general] AUR Packages no longer visible from Archlinux

[Jürgen Werner]

Am 01.03.2016 um 02:54 schrieb Marshall Neill:
> This is what I fail to understand; How did this get out of testing when
> obviously something is broke?
> 

Erm... package-query is in the AUR. There is no testing. No garantees.
Just trust in the maintainers, who, by the way, are doing great jobs
most of the time.