found 737969 1.1.32~repack-1
thanks

I'd bump up the severity to serious if this weren't a maintainer's /
release manager's prerogative. This bug does force me to maintain my
own fork of the package.

The main problem, I think, is the following hunk:

@@ -121,12 +123,14 @@
         /* requested but not supported */
 #endif
     } else {
+#ifndef OPENSSL_NO_SSL2
         if (mode == SSL_MODE_CLIENT)
             ctx = SSL_CTX_new(SSLv23_client_method());
         else if (mode == SSL_MODE_SERVER)
             ctx = SSL_CTX_new(SSLv23_server_method());
         else
             ctx = SSL_CTX_new(SSLv23_method());
+#endif
     }
 
     if (!ctx) {

The SSLv23_* methods in OpenSSL have misleading names. They are the only
ones that support more than one protocol version at the time, and must be
used in order to support any two or more of SSLv2, SSLv3, TLSv1, TLSv1.1,
TLSv1.2. So it's wrong to comment them out if OPENSSL_NO_SSL2 is defined.

I'd also encourage the Debian maintainers to ponder whether the rest of
the drop_sslv2_support.diff patch is still needed in light of upstream
changes to the package. In my own builds I just disable it.

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to