On Tue, Jun 02 2026, Adrian Bunk wrote: > On Sun, May 24, 2026 at 07:27:12AM -0500, John Goerzen wrote: >> Just to be very clear: the ideal release would have my patch, but I am >> also fine with one that lacks it. > > Is "my patch" the CVE-2025-68920 fix? > > My proposed update contains both the CVE fix and the removal of the > OpenSSL version check, and if that looks good to you then I can upload > it again. > > But if you have any objection to adding the CVE-2025-68920 fix in stable, > then I can also prepare an update removing only the OpenSSL version check.
Sorry, let me be more clear: Ideally, the upload to stable would have both the CVE-2025-68920 fix AND the removal of the OpenSSL version check. However, the CVE fix is more important, so if only one can be used, use that one. - John > >> - John > > Thanks > Adrian > >> On Sun, May 24 2026, John Goerzen wrote: >> >> > Hello, >> > >> > The OpenSSL version check should be removed in the Debian context. I >> > patched it out in more recent versions of ckermit. It dates back to >> > more disruptive changes that occurred in the OpenSSL 0.95 through 1.1 >> > days and serves no useful purpose any more. >> > >> > As an operational matter, its practical effect is a useless warning; >> > almost nobody ever used SSL for kermit connections and as far as I am >> > aware of, nobody actively does. >> > >> > I disabled it with >> > https://salsa.debian.org/debian/ckermit/-/commit/69f7da0c764a64b5aec39a78bbc184143aa4253b >> > if that helps. >> > >> > - John
