Bug#804787: jessie-pu: package servefile/0.4.3-1

To: Sebastian Lohff <seba@someserver.de>, 804787@bugs.debian.org
Subject: Bug#804787: jessie-pu: package servefile/0.4.3-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 01 Jan 2016 18:08:11 +0000
Message-id: <[🔎] 1451671691.2006.30.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 804787@bugs.debian.org
In-reply-to: <565497E1.10700@someserver.de>
References: <20151111163916.1474.54339.reportbug@claptrap.lair.seba-geek.de> <706d2342c9f1dc5648fa3eb893727eae@mail.adam-barratt.org.uk> <565497E1.10700@someserver.de>

On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> I attached a new debdiff with a more meaningful changelog.
> 
> +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> +
> +  * Upstream bugfix release
> +  * Fix for path traversal bug in directory listing mode
> +  * SSL hardening (prefer TLS1.2/TLS1)

Thanks.

+               # choose TLS1.2 or TLS1, if available
+               sslMethod = None
+               if hasattr(SSL, "TLSv1_2_METHOD"):
+                       sslMethod = SSL.TLSv1_2_METHOD
+               elif hasattr(SSL, "TLSv1_METHOD"):
+                       sslMethod = SSL.TLSv1_METHOD

Why is TLS1.1 explicitly avoided here? Might it make more sense to use
TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server negotiate
the highest mutually-supported protocol?

Regards,

Adam

Reply to:

Prev by Date: Bug#801304: jessie-pu: package ejabberd/14.07-4+deb8u3
Next by Date: Bug#806640: jessie-pu: package gummi/0.6.5-3+deb8u1
Previous by thread: Processed: Re: Bug#806529: jessie-pu: package apache2/2.4.10-10+deb8u4
Next by thread: Bug#804157: jessie-pu: package commons-httpclient/3.1-11
Index(es):
- Date
- Thread