On Wed, Dec 31, 2014 at 13:52:54 +0100, Kurt Roeckx wrote: > I would like to disable SSLv3 by default in wheezy. Attached is a > debdiff. > > > Kurt >
> diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog > --- openssl-1.0.1e/debian/changelog 2014-10-15 19:45:48.000000000 +0200 > +++ openssl-1.0.1e/debian/changelog 2014-12-31 13:46:02.000000000 +0100 > @@ -1,3 +1,15 @@ > +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium > + > + * Disable SSLv3 by default. It can be enabled again by calling > + SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3. > + It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the > + environment to anything. > + This fixes the POODLE issue (CVE-2014-3566). > + * Fix CVE-2014-3569. We're not affected by it since we don't build with > + the no-ssl3 option (yet). > + > + -- Kurt Roeckx <k...@roeckx.be> Wed, 31 Dec 2014 13:45:07 +0100 > + > openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium > > * Fixes CVE-2014-3513 I'm ok with this in principle; the OPENSSL_ALLOW_SSLv3 environment variable really ought to be documented though, at least in a NEWS.Debian for libssl1.0.0. Cheers, Julien
signature.asc
Description: Digital signature