Re: Bug#772487: SSL 3.0 and older ciphers selected in applications

[Daniel Pocock <daniel@pocock.pro>]

On 08/12/14 10:20, Adam D. Barratt wrote:
> On Mon, 2014-12-08 at 09:16 +0100, Daniel Pocock wrote:
> [...]
>> If it will help the release team, is there anybody from the security
>> team who could review the changes in my debdiff?
> Note that debian-security@lists.debian.org is not a contact address for
> the security team.
>
> (Also I don't see anything in the nack mail that says it was related to
> being unable to review the debdiff.)


I wasn't suggesting that was the cause for the nack email although I
remember some discussion around the wheezy release that the size of
diffs is considered a factor in unblock requests.

I understand that sometimes the security team have made decisions about
what should go through to stable, e.g. for the browser version updates
and the security team are also getting involved if some vulnerability is
found in future so I value their opinion on this particular case.

The WebSocket transport (which includes TLS support) in packages like
reSIProcate, Kamailio and Asterisk needs to remain interoperable with
the browsers and the server side also needs to remain secure throughout
the life of jessie so there are a range of reasons I'm asking about this.