On Sun, Mar 12, 2017 at 02:11:48PM +0000, Alessandro Ghedini wrote: > On Fri, Mar 03, 2017 at 09:41:03AM +0100, lcf wrote: > > Package: curl > > Version: 7.52.1-3 > > Severity: important > > > > Dear Maintainer, > > > > When establishing https connection X.509 certificates using md5RSA should be > > rejected and connection should be terminated. > > > > curl 7.52.1 can do that, when it's compiled against OpenSSL 1.1.0 and above. > > Attempts to establish connection with hosts using md5RSA certificate result > > in > > curl: (60) SSL certificate problem: CA signature digest algorithm too weak > > error in that case. > > > > OpenSSL 1.1.0 is already included in Debian Stretch, so curl should be > > compiled > > against new OpenSSL to solve this security issue. > > The switch to OpenSSL 1.1 was rolled back due to [0], as per release team > decision (see [1]).
Ugh, [1] was meant to point to https://bugs.debian.org/850880
signature.asc
Description: PGP signature