Package: alpine
Version: 2.02-3.1
Severity: normal
alpine (re-alpine) uses DES-56 to encrypt S/MIME messages. This is very
insecure by modern standards and is in violation of RFC 5751.
This issue was reported upstream and a patch produced
(http://sourceforge.net/tracker/index.php?func=detail&aid=3428168&group_id=264924&atid=1128048),
but has not been addressed in a release of re-alpine. The patch on the
linked page changes the default encryption algorithm to AES-128 (CBC
mode), which is sufficiently strong for modern use.
Due to the security issues surrounding the use of DES-56 in 2012, I
believe this should be patched in the alpine package even if re-alpine
does not produce a release with the patch.
-- System Information:
Debian Release: 6.0.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.10-grsec (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages alpine depends on:
ii libc6 2.11.2-10Embedded GNU C Library: Shared lib
ii libgssapi-krb5-21.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii libpam0g1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8o-4squeeze5 SSL shared libraries
Versions of packages alpine recommends:
ii alpine-doc2.02-3.1 Text-based email client's document
Versions of packages alpine suggests:
ii aspell 0.60.6-4GNU Aspell spell-checker
ii exim44.72-6+squeeze2 metapackage to ease Exim MTA (v4)
ii exim4-daemon-light [mail 4.72-6+squeeze2 lightweight Exim MTA (v4) daemon
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
