Bug#816063: emacs24: TLS certificate validation is silently broken

Antoine Beaupre wrote: > tags -1 -unreproducible > > I can reproduce issues with certification verification in Emacs 24.5+1-8 > in Debian Stretch. As documented here: > > [...] > > I am not sure what changed between Emacs 24 and 25, but it seems to me > Emacs 24 should absolutely be fixed before

Bug#816063: emacs24: TLS certificate validation is silently broken

"Trent W. Buck" writes: > Stretch currently has both emacs24 and emacs25, > so is there any major downside to removing emacs24 from Stretch? I think it would be fairly straightforward, though it might still require a bit of work to fix the few reverse deps that dak didn't

Bug#816063: emacs24: TLS certificate validation is silently broken

On 2017-02-23 12:41:05, Trent W. Buck wrote: > Antoine Beaupre wrote: >> tags -1 -unreproducible >> >> I can reproduce issues with certification verification in Emacs 24.5+1-8 >> in Debian Stretch. As documented here: >> >> [...] >> >> I am not sure what changed between Emacs 24 and 25, but it

Bug#816063: emacs24: TLS certificate validation is silently broken

[Summary: say the word and I (and Sean, I strongly suspect) will immediately resume the (possibly minimal) work that remains before we can remove emacs24 from stretch.] Antoine Beaupre writes: > I am not sure what changed between Emacs 24 and 25, but it seems to me >

Bug#816063: emacs24: TLS certificate validation is silently broken

tags -1 -unreproducible I can reproduce issues with certification verification in Emacs 24.5+1-8 in Debian Stretch. As documented here: https://glyph.twistedmatrix.com/2015/11/editor-malware.html The following script will yield an error: (let ((bad-hosts (cl-loop for bad in

Bug#816063: emacs24: TLS certificate validation is silently broken

tags +unreproducible thanks Rob Browning writes: > Nathaniel Smith writes: > >> And sometimes I've even had it fail on https://wrong.host.badssl.com >> after setting this (but not always). However, it always happily loads >>

Bug#816063: emacs24: TLS certificate validation is silently broken

Nathaniel Smith writes: > And sometimes I've even had it fail on https://wrong.host.badssl.com > after setting this (but not always). However, it always happily loads > https://self-signed.badssl.com, which means it's providing no > protection at all against MITM attacks. So

Bug#816063: emacs24: TLS certificate validation is silently broken

On Fri, Feb 26, 2016 at 09:34:33PM -0800, Nathaniel Smith wrote: > Package: emacs24 > Version: 24.5+1-6+b1 > Severity: serious > Tags: security > Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt > > Debian's emacs builds are linked against gnutls: > > (gnutls-available-p)

Bug#816063: emacs24: TLS certificate validation is silently broken

Package: emacs24 Version: 24.5+1-6+b1 Severity: serious Tags: security Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt Debian's emacs builds are linked against gnutls: (gnutls-available-p) t By default, they aren't configured to validate TLS certificates, leaving users