[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772694: marked as done (mention removal of SSLv3 in whatsnew section)

Your message dated Thu, 01 Jan 2015 13:34:50 +0100
with message-id <54A53EEA.9080205@thykier.net>
and subject line Re: Bug#772694: mention removal of SSLv3 in whatsnew section
has caused the Debian Bug report #772694,
regarding mention removal of SSLv3 in whatsnew section
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772694: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772694
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: wishlist
Tags: patch

Hi,

Attached patch renames the "Hardening" section to "Security", adds mention
of the removed SSLv3 protocol and progress on hardened build flags.


Cheers,
Thijs

Index: en/whats-new.dbk
===================================================================
--- en/whats-new.dbk	(revision 10518)
+++ en/whats-new.dbk	(working copy)
@@ -441,13 +441,17 @@
 </para>
 </section>
 
-<section id="hardening" condition="fixme">
-  <title>Hardened security</title>
-  <para>
-TODO: Even more packages / coverage?
-  </para>
+<section id="security" condition="fixme">
+  <title>Security</title>
+  <para>The legacy secure sockets layer protocol SSLv3 has been
+  disabled in this release. System cryptography libraries as well as servers
+  and client applications have been compiled or configured without support
+  for this protocol.</para>
 
-  <para>Note that the hardened build flags are not enabled by default in
+  <para>Continuing on the path set by &oldrelease;, more packages have
+  been built with hardened compiler flags. Also, the stack protector flag
+  has been switched to stack-protector-strong for extra hardening.
+  Note that the hardened build flags are not enabled by default in
   <systemitem role="package">gcc</systemitem>, so are not used automatically
   when locally building software. The package
   <systemitem role="package">hardening-wrapper</systemitem> can provide a

--- End Message ---
--- Begin Message --- 
On 2014-12-23 18:18, Thijs Kinkhorst wrote:
> On Thu, December 11, 2014 19:38, Niels Thykier wrote:
>> I have applied and committed your patch with 3 changes.  These changes
>> are:
>>
>>  * In the first paragraph, avoid implying that all packages have been
>>    compiled without SSLv3 support (as I recall, at least openssl still
>>    have it, and given it removes symbols/breaks ABI to remove them,
>>    will keep it for Jessie)
> 
> SSLv3 is disabled in OpenSSL 1.0.1j-1 as evidenced by that version's
> changelog, and also verifyable by trying to use an application compiled
> against OpenSSL with SSLv3.
> 
> Thanks for applying the patch.
> 
> 
> Cheers,
> Thijs
> 

Ok, I have corrected the text to:

"""
The legacy secure sockets layer protocol SSLv3 has been
disabled in this release. Many System cryptography libraries as well
as servers and client applications have been compiled or configured
without support for this protocol.
"""

Which I believe should accurately describe the SSLv3 situation in
Jessie.  If not, please do let me know by reopening the bug.

Thanks,
~Niels

--- End Message ---
Reply to: