Package: stunnel4 Version: 3:4.29-1+squeeze1 Severity: normal Hi!
I just noticed the default /etc/stunnel/stunnel.conf from stunnel4 in Debian Squeeze hardcodes the protocol version to be used to SSLv3: ------------- ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ------------- This of course may cause problems after the discovery of the POODLE attack vector, the subsequent mass-disabling of SSLv3 in server and if the admin does not change this value in the config file. It may be a good idea to release a squeeze-lts version of the stunnel4 package which removes that line frome the default config file and alerts server admins to check if their existing configuration has this option as well. The package in Wheezy and higher are not problematic, since they now longer ship a default /etc/stunnel/stunnel.conf and the included example config file does not hardcode a sslVersion. This bug also may serve to document the fact that the package from squeeze has a flaw and how to mitigate that problem. Grüße, Sven. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
