Bug#768164: [Pkg-haskell-maintainers] Bug#768164: haskell-tls: SSLv3 support
Hi Joachim, openssl disabled it entirely; it features a dedicated build flag for it (no-ssl3). Ok, I think we can easily follow suit here. Removing code is always simple :-) Could you approach haskell-tls upstream for their recommendation to disable it? Vincent, did you consider this issue already? Upstream has removed SSLv3 from the default cipher list: https://github.com/vincenthz/hs-tls/commit/5353bd2f717a31fd63c2a5d67112d8d8279bd1e6 Can you at least make an upload to sid that incorporates this patch so we can get it into jessie? Disabling it entirely is then of course still an option but removing it from the defaults list is already a big win. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768164: [Pkg-haskell-maintainers] Bug#768164: haskell-tls: SSLv3 support
Hi, Am Mittwoch, den 05.11.2014, 16:45 +0100 schrieb Moritz Muehlenhoff: Package: haskell-tls Severity: important Tags: security Hi, openssl disabled SSLv3 for jessie since 1.0.1j-1. Shall we do the same for haskell-tls? good question. Probably yes. Did openssl disable SSLv3 completely, or did it just removed it from the default list of accepted settings? Greetings, Joachim -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: F0FBF51F JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part
Bug#768164: [Pkg-haskell-maintainers] Bug#768164: haskell-tls: SSLv3 support
On Wed, Nov 05, 2014 at 05:07:15PM +0100, Joachim Breitner wrote: Hi, Am Mittwoch, den 05.11.2014, 16:45 +0100 schrieb Moritz Muehlenhoff: Package: haskell-tls Severity: important Tags: security Hi, openssl disabled SSLv3 for jessie since 1.0.1j-1. Shall we do the same for haskell-tls? good question. Probably yes. Did openssl disable SSLv3 completely, or did it just removed it from the default list of accepted settings? openssl disabled it entirely; it features a dedicated build flag for it (no-ssl3). Could you approach haskell-tls upstream for their recommendation to disable it? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768164: [Pkg-haskell-maintainers] Bug#768164: haskell-tls: SSLv3 support
Dear Moritz, Am Mittwoch, den 05.11.2014, 17:12 +0100 schrieb Moritz Muehlenhoff: On Wed, Nov 05, 2014 at 05:07:15PM +0100, Joachim Breitner wrote: Am Mittwoch, den 05.11.2014, 16:45 +0100 schrieb Moritz Muehlenhoff: Package: haskell-tls Severity: important Tags: security Hi, openssl disabled SSLv3 for jessie since 1.0.1j-1. Shall we do the same for haskell-tls? good question. Probably yes. Did openssl disable SSLv3 completely, or did it just removed it from the default list of accepted settings? openssl disabled it entirely; it features a dedicated build flag for it (no-ssl3). Ok, I think we can easily follow suit here. Removing code is always simple :-) Could you approach haskell-tls upstream for their recommendation to disable it? Vincent, did you consider this issue already? Greetings, Joachim -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: F0FBF51F JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part