Package: starttls
Version: 0.10-3
Severity: critical
starttls package should IMHO be removed from Debian repositories, as it
looks like a security joke:
- it does not allow passing trust anchors to be used to verify the
remote peer: are users expected to see the issue by themselves and not
use it?
- usage advertises a --verify option to set the verificaion level (no
details on accepted values): in all cases, it is not considered in the
code and SSL_VERIFY_NONE is used instead.
- The man page does not describe the options the program accept and does
not warn the user about the lack of checks.
AFAICT, starttls provides a good example of how OpenSSL API should *not*
be used! Its use should only be limited to testing purposes and a *huge*
disclaimer on its limitations should be put somewhere.
Comments welcome.
Cheers,
a+
ps: [EMAIL PROTECTED] is in CC, because previous list of issues is
still valid against CVS version of starttls.
pps: Gnus ML is in CC as some people might be using it (for years?).
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
