On 22/05/13 22:14, Adam D. Barratt wrote:
> On Sat, 2013-05-11 at 17:58 +0100, Adam D. Barratt wrote:
>> On Thu, 2013-04-25 at 12:47 +0100, Simon McVittie wrote:
>>> The version of telepathy-idle in wheezy does not validate IRC servers'
>>> SSL certificates when used with SSL (#706094, CVE ID requested).
> [...]
>> Please go ahead with an upload for stable.
>
> Ping?
Cc pkg-telepathy-maintainers: could someone who uses telepathy-idle
regularly please pick this up?
Sorry, I've been holding off on this because the proposed patch is a
regression: users who were relying on the ability to get a
(man-in-the-middle-vulnerable) connection to a SSL IRC server whose
certificate is self-signed or untrusted can no longer do so. I didn't
think many people would fall into this category, but apparently quite a
lot do...
This is fixed in 0.1.16 in unstable, which hooks up the necessary
infrastructure to do a browser-style "does this certificate look OK?"
prompt in Empathy or kde-telepathy. However, that's a significant amount
of code (~ 1k lines).
0.1.16 also has unrelated bugfixes, and an unrelated new feature
(listing chatrooms on servers).
Possible resolutions include:
* upload 0.1.11-2+deb7u1 as-is, and accept the regression
(Ubuntu did this)
* upload 0.1.16 to wheezy
* backport 0.1.16 to wheezy-backports (which should be trivial),
and upload 0.1.11-2+deb7u1 with a NEWS file noting the regression
and suggesting the backport
* backport the certificate bits from 0.1.16 to 0.1.11
Regards,
S
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/519deb16.5060...@debian.org
