[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#802331: jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-1

On Thu, 2016-03-24 at 22:40 +0100, Ondřej Surý wrote:
> On Thu, Mar 24, 2016, at 21:52, Adam D. Barratt wrote:
> > $ zgrep NO_COMPRESSION
> > /srv/release.debian.org/www/proposed-updates/jessie_diffs/cyrus-imapd-2.4_2.4.17+nocaldav-0~deb8u1.debdiff.gz 
> > +     off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> > ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> > ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> > ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> > ++    off |= SSL_OP_NO_COMPRESSION;     /* Disable TLS compression */
> 
> This should not be strictly needed as 2.4.18 has new option
> 'tls_compression' that's disabled by default, but I have restored that
> part of the patch anyway.

Ah, I see. Thanks.

> (Also I am not that sure that BEAST/CRIME/BREACH attacks apply to IMAP
> as well, but better be safe then sorry...)

I have to admit that I'm not really sure either. I've seen varying
arguments around the applicability of most of the TLS vulnerabilities to
non-HTTP protocols.

Regards,

Adam
Reply to: