[Secure-testing-team] Bug#772040: syncevolution-http: syncevo-http-server script uses SSLv3, no TLS support
Tino Mettler
tino.mettler+debbugs at tikei.de
Thu Dec 4 16:05:06 UTC 2014
Package: syncevolution-http
Version: 1.4.99.4-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
syncevo-http-server only supports SSLv3 and no TLS connections when using
HTTPS. This is
1. a potential security risk, as shown by the poodle attack
2. a problem with the SyncML client of syncevolution in sid and jessie, as
SSLv3 connections won't work anymore ('Error performing TLS handshake:
GnuTLS internal error.') when using HTTPS. So the Syncevolution SyncML
client can't connect to the SyncML server provided by the same version of
syncevolution.
The fix is rather small. A patch against upstream (no debdiff) is attached.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12.7-05353-g11687ee (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages syncevolution-http depends on:
ii dbus-x11 1.8.12-1
ii python 2.7.8-2
ii python-dbus 1.2.0-2+b3
ii python-gobject 3.14.0-1
ii python-openssl 0.14-1
ii python-twisted-web 14.0.2-2
ii syncevolution-dbus 1.4.99.4-2+b1
syncevolution-http recommends no packages.
syncevolution-http suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use_TLS_instead_of_SSLv3.diff
Type: text/x-diff
Size: 620 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20141204/62471629/attachment.diff>
More information about the Secure-testing-team
mailing list