Package: pound
Version: 2.6-6.1
I did some checking with the site: https://www.ssllabs.com/ssltest/
This highlighted a couple of issues.
1) The new "Logjam" issue has made 1024bit DH keys problematic. Pound will
normally use an "uncommon" prime so it's probably not insecure, but it's
not completely certain as Debian uses binary packages.
2) Pound does NOT support ECDHE based key exchange at all. OpenSSL does,
but it needs more configuration to enable it. From my recent reading it
appears that this is now the preferred protocol both because it's faster
than a secure DHE and it's possibly more secure.
Both these changes are now in the upstream version 2.7 so I'm requesting a
refresh. Hopefully into stable as they are significant security issues
even if they are not immediate threats.
--
Rob. (Robert de Bath <robert$ @ debath.co.uk>)
<http://www.debath.co.uk/>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
