Your message dated Sat, 29 Jan 2011 21:57:22 +0100
with message-id <87y663mnrh....@mid.deneb.enyo.de>
and subject line Re: Bug#611461: iceweasel still does insecure ssl
renegotiation?!
has caused the Debian Bug report #611461,
regarding iceweasel still does insecure ssl renegotiation?!
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
611461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611461
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: iceweasel
Version: 3.5.16-4
Severity: grave
Tags: security
Justification: user security hole
Hi.
It seems that iceweasel still is vulnerable to the SSL renegotiation attack,
as simply is configured per default to allow the vulnerable renegotiation:
security.ssl.require_safe_negotiation;true
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
* Christoph Anton Mitterer:
> It seems that iceweasel still is vulnerable to the SSL renegotiation attack,
> as simply is configured per default to allow the vulnerable renegotiation:
> security.ssl.require_safe_negotiation;true
Given the way the protocol works, this setting cannot be exploited,
hence closing the bug. It does *not* enable a downgrade attack.
--- End Message ---
