[Secure-testing-team] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Florian Schlichting fsfs at debian.org
Thu Feb 19 09:38:14 UTC 2015


Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: serious
Tags: security

Newly released RFC 7465 [0] describes RC4 as being "on the verge of
becoming practically exploitable" and consequently mandates that both
servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
indeed terminate the TLS handshake if RC4 ciphers are the only ones
available.

To protect our users and comply with adopted Internet standards, openssl
in Debian should no longer include RC4 ciphers in the DEFAULT list of
ciphers, neither in Jessie nor supported stable / oldstable releases.

[0] https://tools.ietf.org/html/rfc7465

-- System Information:
Debian Release: 7.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.13-38+deb7u7
ii  libssl1.0.0  1.0.1e-2+deb7u14
ii  zlib1g       1:1.2.7.dfsg-13

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20130119+deb7u1

-- debconf-show failed



More information about the Secure-testing-team mailing list