Your message dated Sun, 26 Feb 2023 13:03:45 +0000 (UTC)
with message-id
<[email protected]>
and subject line Closing this bug (BTS maintenance for debian-printing)
has caused the Debian Bug report #865649,
regarding cups HTTPS issues -- Lack of SHA-2 certificate, weak TLSv1.0 crypto
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
865649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865649
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cups
Version: 2.2.1-8
* SHA-1 is officially deprecated for HTTPS certificates, but is still used for
cups certificate generation.
* TLSv1.0 is enabled for cups, but TLSv1.0 with CBC / SHA-1 is potentially
vulnerable to BEAST attacks.
I suggest two resolutions to correct this, even though it is understood that
default certificates are self-signed anyway.
* Generate SHA-2 signed certificates by default. This will lessenthe additional
browser warnings.
* Enable only TLSv1.2 for the cups HTTPS interface and disable CBC and SHA-1
crypto. TLSv1.0 has numerous known, potential security issues with CBC / SHA-1
suites. All current web clients support TLSv1.2 and so disabling TSLv1.0 should
have no negative effect for local Debian users and is likely to also have
virtually no impact for remote cups users as well accessing the cups interface
remotely.
Verified on Debian GNU/Linux 9
--- End Message ---
--- Begin Message ---
Hi,
this bug was forwarded to upstream and closed after introducing new config
options. A package containing this fix was uploaded some time ago.
Thus I am manually closing this bug now.
Best regards,
Thorsten
--- End Message ---
