Package: syncevolution-http
Version: 1.4.99.4-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
syncevo-http-server only supports SSLv3 and no TLS connections when using
HTTPS. This is
1. a potential security risk, as shown by the poodle attack
2. a problem with the SyncML client of syncevolution in sid and jessie, as
SSLv3 connections won't work anymore ('Error performing TLS handshake:
GnuTLS internal error.') when using HTTPS. So the Syncevolution SyncML
client can't connect to the SyncML server provided by the same version of
syncevolution.
The fix is rather small. A patch against upstream (no debdiff) is attached.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12.7-05353-g11687ee (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages syncevolution-http depends on:
ii dbus-x11 1.8.12-1
ii python 2.7.8-2
ii python-dbus 1.2.0-2+b3
ii python-gobject 3.14.0-1
ii python-openssl 0.14-1
ii python-twisted-web 14.0.2-2
ii syncevolution-dbus 1.4.99.4-2+b1
syncevolution-http recommends no packages.
syncevolution-http suggests no packages.
-- no debconf information
diff --git a/test/syncevo-http-server.py b/test/syncevo-http-server.py
index 57210ae..6c14088 100755
--- a/test/syncevo-http-server.py
+++ b/test/syncevo-http-server.py
@@ -40,7 +40,7 @@ timeout=100000
class ChainedOpenSSLContextFactory(ssl.DefaultOpenSSLContextFactory):
def __init__(self, privateKeyFileName, certificateChainFileName,
- sslmethod = SSL.SSLv3_METHOD):
+ sslmethod = SSL.TLSv1_METHOD):
"""
@param privateKeyFileName: Name of a file containing a private key
@param certificateChainFileName: Name of a file containing a certificate chain
