retitle 594150 "no useful error message if server attempts insecure
renegotiation"
reassign 594150 libcurl3-gnutls 7.21.0-1
found 594150 7.21.1-1
thanks
On Wed, 24 Nov 2010 at 10:24:51 -0800, Johannes Ernst wrote:
> On Nov 24, 2010, at 8:42, Simon McVittie wrote:
> > The "regression" in squeeze is that (the libraries used by)
> > apt-transport-https will refuse to go ahead with a TLS connection that
> > might have been hijacked using the vulnerability described in CVE-2009-3555;
> > this is unavoidable if you want a secure connection, unfortunately.
> >
> > Relatedly, there's a bug in curl causing it to give a misleading error
> > message, which made the underlying problem harder to find; this has since
> > been fixed upstream, and if you/the curl maintainer consider *that* to be
> > release-critical, we can try to get it fixed in squeeze. If this is what's
> > left of this bug, we can reassign it back to curl.
>
> Personally I think this is critical. Both curl and apt-transport-https should
> emit an error message that explains what's going on so mere mortals have a
> way of understanding it.
Fair enough, back to libcurl-gnutls it goes... hopefully Daniel Stenberg's
patch from several messages ago is enough to produce sensible output.
Regards,
Simon
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
