Bug#778747: marked as done (openssl: RFC 7465 says RC4 is broken, never to be used)

[Debian Bug Tracking System]

Your message dated Wed, 24 Aug 2016 23:15:47 +0200
with message-id <20160824211546.6clvnxa72ozrg...@breakpoint.cc>
and subject line Re: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 
is broken, never to be used
has caused the Debian Bug report #778747,
regarding openssl: RFC 7465 says RC4 is broken, never to be used
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
778747: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778747
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: serious
Tags: security

Newly released RFC 7465 [0] describes RC4 as being "on the verge of
becoming practically exploitable" and consequently mandates that both
servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
indeed terminate the TLS handshake if RC4 ciphers are the only ones
available.

To protect our users and comply with adopted Internet standards, openssl
in Debian should no longer include RC4 ciphers in the DEFAULT list of
ciphers, neither in Jessie nor supported stable / oldstable releases.

[0] https://tools.ietf.org/html/rfc7465

-- System Information:
Debian Release: 7.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.13-38+deb7u7
ii  libssl1.0.0  1.0.1e-2+deb7u14
ii  zlib1g       1:1.2.7.dfsg-13

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20130119+deb7u1

-- debconf-show failed

--- End Message ---

--- Begin Message ---

Version: 1.1.0~pre6-1

On 2016-08-02 23:25:32 [+0200], Sebastian Andrzej Siewior wrote:
> 
> As of openssl in experimental we don't have RC4 in list of default
> ciphers.

even better. For the upcomming 1.1.0 release RC4 is not compiled by
default unless `enable-weak-ssl-ciphers' is seleted which we don't do.

So. Since there is no RC4 starting with 1.1.0 I am closing this with the
version currently sitting exp.

Sebastian

--- End Message ---