Package: openssl Version: 1.0.1e-2+deb7u14 Severity: serious Tags: security
Newly released RFC 7465 [0] describes RC4 as being "on the verge of becoming practically exploitable" and consequently mandates that both servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and indeed terminate the TLS handshake if RC4 ciphers are the only ones available. To protect our users and comply with adopted Internet standards, openssl in Debian should no longer include RC4 ciphers in the DEFAULT list of ciphers, neither in Jessie nor supported stable / oldstable releases. [0] https://tools.ietf.org/html/rfc7465 -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc6 2.13-38+deb7u7 ii libssl1.0.0 1.0.1e-2+deb7u14 ii zlib1g 1:1.2.7.dfsg-13 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20130119+deb7u1 -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
