[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#804787: jessie-pu: package servefile/0.4.3-1

On Fri, 2016-01-01 at 18:08 +0000, Adam D. Barratt wrote:
> On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> > I attached a new debdiff with a more meaningful changelog.
> > 
> > +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> > +
> > +  * Upstream bugfix release
> > +  * Fix for path traversal bug in directory listing mode
> > +  * SSL hardening (prefer TLS1.2/TLS1)
> 
> Thanks.
> 
> +               # choose TLS1.2 or TLS1, if available
> +               sslMethod = None
> +               if hasattr(SSL, "TLSv1_2_METHOD"):
> +                       sslMethod = SSL.TLSv1_2_METHOD
> +               elif hasattr(SSL, "TLSv1_METHOD"):
> +                       sslMethod = SSL.TLSv1_METHOD
> 
> Why is TLS1.1 explicitly avoided here? Might it make more sense to
> use
> TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server
> negotiate
> the highest mutually-supported protocol?
> 

Ping?

The above mail was sent nearly 2.5 years ago, and there's been no
follow-up. The window for getting fixes into jessie before it becomes
LTS closes during the coming weekend.

Regards,

Adam
Reply to: