Bug#594150: regression in apt-transport-https interop with apt-cacher

Simon McVittie smcv at debian.org
Wed Nov 24 18:39:12 UTC 2010


retitle 594150 "no useful error message if server attempts insecure renegotiation"
reassign 594150 libcurl3-gnutls 7.21.0-1
found 594150 7.21.1-1
thanks

On Wed, 24 Nov 2010 at 10:24:51 -0800, Johannes Ernst wrote:
> On Nov 24, 2010, at 8:42, Simon McVittie wrote:
> > The "regression" in squeeze is that (the libraries used by)
> > apt-transport-https will refuse to go ahead with a TLS connection that
> > might have been hijacked using the vulnerability described in CVE-2009-3555;
> > this is unavoidable if you want a secure connection, unfortunately.
> > 
> > Relatedly, there's a bug in curl causing it to give a misleading error
> > message, which made the underlying problem harder to find; this has since
> > been fixed upstream, and if you/the curl maintainer consider *that* to be
> > release-critical, we can try to get it fixed in squeeze. If this is what's
> > left of this bug, we can reassign it back to curl.
> 
> Personally I think this is critical. Both curl and apt-transport-https should emit an error message that explains what's going on so mere mortals have a way of understanding it.

Fair enough, back to libcurl-gnutls it goes... hopefully Daniel Stenberg's
patch from several messages ago is enough to produce sensible output.

Regards,
    Simon





More information about the Pkg-gnutls-maint mailing list