Bug#371153: marked as done (firefox: SSLv2 is insecure, should be disabled by default)

Mon, 10 Jul 2006 14:45:17 -0700 

Your message dated Mon, 10 Jul 2006 14:23:13 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#371153: fixed in firefox 1.5.dfsg+1.5.0.4-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: thunderbird
Version: 1.5-4
Severity: grave
Tags: security
Justification: user security hole

SSL v2 encryption is been considered insecure because of design flaws 
and weak ciphers [1], as such security.enable_ssl2 = false should be set
by default. However, currently this package accepts SSL2 by default and 
thus puts users at risk of assuming to be connected through a secure 
connection which is, in fact, not secure. As such, users relying on the
false impression of security given by the application are effectively 
put at risk.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=303849
    http://www.foundstone.com/resources/whitepapers/wp_ssldigger.pdf
    (the last one is a commercial plug but also contains useful info on 
    SSL ciphers)


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages thunderbird depends on:
ii  libatk1.0-0               1.11.3-1       The ATK accessibility toolkit
ii  libc6                     2.3.6-7        GNU C Library: Shared libraries
ii  libcairo2                 1.0.4-1+b1     The Cairo 2D vector graphics libra
ii  libfontconfig1            2.3.2-5.1      generic font configuration library
ii  libgcc1                   1:4.1.0-1+b1   GCC support library
ii  libglib2.0-0              2.10.2-1       The GLib library of C routines
ii  libgtk2.0-0               2.8.16-1       The GTK+ graphical user interface 
ii  libjpeg62                 6b-12          The Independent JPEG Group's JPEG 
ii  libpango1.0-0             1.12.0-2       Layout and rendering of internatio
ii  libpng12-0                1.2.8rel-5     PNG library - runtime
ii  libstdc++6                4.1.0-1+b1     The GNU Standard C++ Library v3
ii  libx11-6                  6.9.0.dfsg.1-6 X Window System protocol client li
ii  libxcursor1               1.1.3-1        X cursor management library
ii  libxext6                  6.9.0.dfsg.1-6 X Window System miscellaneous exte
ii  libxft2                   2.1.8.2-5.1    FreeType-based font drawing librar
ii  libxi6                    6.9.0.dfsg.1-6 X Window System Input extension li
ii  libxinerama1              6.9.0.dfsg.1-6 X Window System multi-head display
ii  libxp6                    6.9.0.dfsg.1-6 X Window System printing extension
ii  libxrandr2                6.9.0.dfsg.1-6 X Window System Resize, Rotate and
ii  libxrender1               1:0.9.0.2-1    X Rendering Extension client libra
ii  libxt6                    6.9.0.dfsg.1-6 X Toolkit Intrinsics
ii  zlib1g                    1:1.2.3-11     compression library - runtime

Versions of packages thunderbird recommends:
ii  myspell-de-at [myspell 20051113-1        Austrian (German) dictionary for m
ii  myspell-de-ch [myspell 20051113-1        Swiss (German) dictionary for mysp
ii  myspell-de-de [myspell 20051113-1        German dictionary for myspell
ii  xprint                 1:0.1.0.alpha1-13 Xprint - the X11 print system (bin

-- debconf information:
* thunderbird/browser: GNOME

--- End Message ---
--- Begin Message --- 
Source: firefox
Source-Version: 1.5.dfsg+1.5.0.4-2

We believe that the bug you reported is fixed in the latest version of
firefox, which is due to be installed in the Debian FTP archive:

firefox-dbg_1.5.dfsg+1.5.0.4-2_i386.deb
  to pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.4-2_i386.deb
firefox-dom-inspector_1.5.dfsg+1.5.0.4-2_i386.deb
  to pool/main/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.4-2_i386.deb
firefox-gnome-support_1.5.dfsg+1.5.0.4-2_i386.deb
  to pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.4-2_i386.deb
firefox_1.5.dfsg+1.5.0.4-2.diff.gz
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-2.diff.gz
firefox_1.5.dfsg+1.5.0.4-2.dsc
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-2.dsc
firefox_1.5.dfsg+1.5.0.4-2_i386.deb
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-2_i386.deb
mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.4-2_all.deb
  to 
pool/main/f/firefox/mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.4-2_all.deb
mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.4-2_all.deb
  to 
pool/main/f/firefox/mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.4-2_all.deb
mozilla-firefox_1.5.dfsg+1.5.0.4-2_all.deb
  to pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.4-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <[EMAIL PROTECTED]> (supplier of updated firefox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  9 Jul 2006 02:37:28 -0400
Source: firefox
Binary: firefox-dbg firefox-gnome-support firefox-dom-inspector mozilla-firefox 
mozilla-firefox-gnome-support mozilla-firefox-dom-inspector firefox
Architecture: source all i386
Version: 1.5.dfsg+1.5.0.4-2
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <[EMAIL PROTECTED]>
Changed-By: Eric Dorland <[EMAIL PROTECTED]>
Description: 
 firefox    - lightweight web browser based on Mozilla
 firefox-dbg - debugging symbols for firefox
 firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
 firefox-gnome-support - Support for Gnome in Mozilla Firefox
 mozilla-firefox - Transition package for firefox rename
 mozilla-firefox-dom-inspector - Transition package for firefox rename
 mozilla-firefox-gnome-support - Transition package for firefox rename
Closes: 365865 371153 372848 374372
Changes: 
 firefox (1.5.dfsg+1.5.0.4-2) unstable; urgency=low
 .
   [ Eric Dorland ]
   * netwerk/base/public/security-prefs.js: Disable SSLv2 by default. I
     thought the weak cipher warning took care of this. (Closes: #371153)
   * debian/firefox-runner: Simplify the dsp autodetection and add aoss to
     the roster. (Closes: #372848)
   * firefox-restart-required.update-notifier, firefox.postinst,
     firefox.install: Add update-notifier to indicate that firefox needs to
     be restarted on upgrade. Based on Ian Jackson's patch, but reworked a
     little. Also with a bad French translation. Translators, assemble!
     (Closes: #365865)
   * config/rules.mk, debian/control: Apply patch from Thiemo Seufer to
     remove mips -xgot hack and build depend on the appropriate binutils on
     mips and mipsel. (Closes: #374372)
   * debian/presubj, debian/README.Debian: Add a bit more information about
     disabling Pango, which often seems to be the source of problems.
   * debian/firefox-runner:
     - Print out MOZ_NO_REMOTE in verbose mode.
     - Fix some unreachable logic, Thanks Daniel Jacobowitz.
 .
   [ Mike Hommey ]
   * debian/rules:
     - Fix for Gecko date extraction from client.mk.
     - Disabled strict aliasing from optimized builds.
     - Added -Wl,--as-needed to the LDFLAGS, so that we don't get indirect
       libraries linked.
   * config/static-config.mk: Add MOZ_XFT_LIBS to STATIC_EXTRA_LIBS. It used to
     get linked as a side effect of linking to indirect libraries, but should
     be linked directly since Xft symbols are used.
   * debian/firefox-restart-required.update-notifier: Fixed the french
     translation. ;)
   * content/html/content/src/nsGenericHTMLElement.cpp,
     content/html/content/src/nsHTMLInputElement.cpp,
     dom/src/base/nsGlobalWindow.cpp: Fixed crasher and potential crashers.
     Reported bz#343953.
Files: 
 b7dcbd750d31e8121a00d6d936cd781e 1115 web optional 
firefox_1.5.dfsg+1.5.0.4-2.dsc
 a5d580a8123985a31b8c5f5ac3d44548 142364 web optional 
firefox_1.5.dfsg+1.5.0.4-2.diff.gz
 6369c08c501b41ee083a6e3cc06e9611 48154 web optional 
mozilla-firefox_1.5.dfsg+1.5.0.4-2_all.deb
 b1796ad05515ab048b44cf6b00901f00 47342 web optional 
mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.4-2_all.deb
 095b7d592d91e7301a6abf9da91e5ca8 47340 gnome optional 
mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.4-2_all.deb
 63da66c0029fb3498d1b10dec9ca9d94 8048710 web optional 
firefox_1.5.dfsg+1.5.0.4-2_i386.deb
 9488293ded653c9659d3dd3aab891266 247346 web optional 
firefox-dom-inspector_1.5.dfsg+1.5.0.4-2_i386.deb
 538653d9b437144e9af10499492369c3 73588 gnome optional 
firefox-gnome-support_1.5.dfsg+1.5.0.4-2_i386.deb
 6469c0e5500f521df7d90226841b803f 46871178 devel extra 
firefox-dbg_1.5.dfsg+1.5.0.4-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEsphtYemOzxbZcMYRAmLpAJ9cid4OqRF06aMeO4ZmwVhXnZy/OgCgpLSN
wBxWMkpi/U0Kg8dpkVOeLV4=
=xwve
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to