Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update

OoO Peu avant le début de l'après-midi du jeudi 22 décembre 2011, vers
13:38, Arno Töll <debian@toell.net> disait :

> I'm sorry you're right. I was indeed misleading as I just copied the
> NEWS entry I wrote for Unstable where things are slightly different. I
> admit I shouldn't have copied it for Stable and Unstable as it was, as
> things are not directly adaptable there.

OpenSSL in unstable does not support TLS 1.2 either. I think that the
solution is for a future OpenSSL version (maybe TLS 1.2 is supported in
1.1 but I am not sure).

> Regarding your comments I can see how I could have been more clear but I
> think the things you mentioned aren't that crucial it would justify a
> new DSA. I will however reformulate some parts for the next Unstable
> upload.

Yes, you are right. Your advice still works since without TLS 1.2 the
only mitigation available is to fallback to RC4 and that's what happen
with the provided configuration.
-- Vincent Bernat ☯ http://vincent.bernat.im panic("Attempted to kill the idle task!"); 2.2.16 /usr/src/linux/kernel/exit.c

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/m3k45osc8e.fsf@neo.luffy.cx

• This message: [ Message body ]
• Next message: Mariusz Kruk: "Re: local authentication spoofing using libnss-ldap"
• Previous message: Yann Autissier: "local authentication spoofing using libnss-ldap"
• In reply to: Arno Töll: "Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]