[Secure-testing-team] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Florian Schlichting
fsfs at debian.org
Thu Feb 19 09:38:14 UTC 2015
Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: serious
Tags: security
Newly released RFC 7465 [0] describes RC4 as being "on the verge of
becoming practically exploitable" and consequently mandates that both
servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
indeed terminate the TLS handshake if RC4 ciphers are the only ones
available.
To protect our users and comply with adopted Internet standards, openssl
in Debian should no longer include RC4 ciphers in the DEFAULT list of
ciphers, neither in Jessie nor supported stable / oldstable releases.
[0] https://tools.ietf.org/html/rfc7465
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-38+deb7u7
ii libssl1.0.0 1.0.1e-2+deb7u14
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119+deb7u1
-- debconf-show failed
More information about the Secure-testing-team
mailing list