Your message dated Mon, 08 Jul 2019 11:52:58 +0200
with message-id <87y318ettx....@arioch.leonhardt.eu>
and subject line Re: "Logjam" security notes.
has caused the Debian Bug report #787137,
regarding "Logjam" security notes.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
787137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787137
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pound
Version: 2.6-6.1
I did some checking with the site: https://www.ssllabs.com/ssltest/
This highlighted a couple of issues.
1) The new "Logjam" issue has made 1024bit DH keys problematic. Pound will
normally use an "uncommon" prime so it's probably not insecure, but it's
not completely certain as Debian uses binary packages.
2) Pound does NOT support ECDHE based key exchange at all. OpenSSL does,
but it needs more configuration to enable it. From my recent reading it
appears that this is now the preferred protocol both because it's faster
than a secure DHE and it's possibly more secure.
Both these changes are now in the upstream version 2.7 so I'm requesting a
refresh. Hopefully into stable as they are significant security issues
even if they are not immediate threats.
--
Rob. (Robert de Bath <robert$ @ debath.co.uk>)
<http://www.debath.co.uk/>
--- End Message ---
--- Begin Message ---
Version: 2.7-1
As stated in the bug report, the bug was addressed with pound 2.7.
Thank you for the report.
--- End Message ---
