On Fri, Nov 25, 2016 at 10:56:39AM +0100, Philipp Kern wrote: > On Sun, Oct 30, 2016 at 10:40:42PM +0100, Kurt Roeckx wrote: > > On Sun, Oct 30, 2016 at 11:35:23PM +0200, Adrian Bunk wrote: > > > I am raising this to RC severity since 1.0.2 will likely still be > > > shipped in stretch, and removing ciphers from the 1.0.2 defaults > > > that were already removed from the 1.1.0 defaults should clearly > > > be done for stretch. > > I did plan on disabling 3DES and RC4 in 1.0.2 for stretch. > > Did this happen? This bug is now applying to the openssl1.0 as a > RC bug.
It's not fixed in the openssl1.0 source package, it is in the openssl source package. So the bug is correct. Kurt
