Package: libssl1.0.0 Version: 1.0.1k-1 Severity: normal Dear Maintainer,
CVE-2015-0204 [1] happened because OpenSSL still had code supporting export cipher suites. LibreSSL has disabled the use of export cipher suites [2] and all the code relating to use of export RSA [3] Although I'd much rather replace OpenSSL with LibreSSL on my box, it is not ready yet for Jessie or unstable even [4], so meantime can you consider disabling the export suites in OpenSSL like LibreSSL did, and like you've done for SSLv3? Perhaps something to discuss with upstream to provide a flag for that, although maybe the correct thing to do would be to remove that code from upstream as well. [1] https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0 [2] https://github.com/libressl- portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d [3] https://github.com/libressl- portable/openbsd/commit/b0a3dc11e2f40da00441447a359ed16e8c578e44 [4] https://github.com/libressl- portable/openbsd/commit/9e3c8206e0f32386e79956dfa4a26bbfdb3dd10d -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.55 ii libc6 2.19-15 ii multiarch-support 2.19-15 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information: libssl1.0.0/restart-services: libssl1.0.0/restart-failed: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org