Package: repro Version: 1.9.7-1 Severity: serious After discussion on debian-security, two specific issues have been identified[1] that have an impact on security support and interoperability with TLS:
a) avoiding the TLSv1_method in the OpenSSL API and just using SSLv23_method b) not trying to use TLS 1.2 when acting as a client as there are sometimes problems with the way some servers respond[2] Point (a) was fixed more comprehensively in the upstream 1.9.8 release but can be fixed with a more concise and targetted patch for jessie. Point (b) was not addressed upstream yet but is also trivial to address in a manner that is suitable for the freeze process. 1. https://lists.debian.org/debian-security/2014/12/msg00032.html 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666051#28 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
