From 7afe2262e8139f9531d15614d90bad7458570729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hertzog@debian.org>
Date: Mon, 20 Jul 2015 13:48:31 +0000
Subject: Mark CVE-2015-4000 as fixed by DLA-247-1

But add a note in packages/openssl.txt so that we don't forget to increase
the minimum DH key length to 1024 bits.

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@35591 e39458fd-73e7-0310-bf30-c45bca0a0e42
---
 data/DLA/list        | 2 +-
 data/dla-needed.txt  | 7 -------
 packages/openssl.txt | 7 +++++++
 3 files changed, 8 insertions(+), 8 deletions(-)
 create mode 100644 packages/openssl.txt

diff --git a/data/DLA/list b/data/DLA/list
index ca1e1a049d..4a59c969d7 100644
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -94,7 +94,7 @@
 	{CVE-2015-3456}
 	[squeeze] - qemu 0.12.5+dfsg-3squeeze5
 [17 Jun 2015] DLA-247-1 openssl - security update
-	{CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792}
+	{CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-4000}
 	[squeeze] - openssl 0.9.8o-4squeeze21
 [17 Jun 2015] DLA-246-2 linux-2.6 - security update
 	[squeeze] - linux-2.6 2.6.32-48squeeze13
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 34651a038a..3fdb46d1ce 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -48,13 +48,6 @@ openssh (Mike Gabriel)
   v5.5. For discussion if openSSH in squeeze is affected and to what extent,
   see: https://lists.debian.org/debian-lts/2015/07/msg00045.html
 --
-openssl
-  NOTE: CVE-2015-4000 is not completely fixed.  We need to raise the
-  minimum DH key length to 1024, but shouldn't do this while many
-  servers still use 768 bits.  To set up a server to test against,
-  edit ssl_dh_GetTmpParam() in apache2's modules/ssl/ssl_engine_dh.c
-  to always return a short key.
---
 php5 (Thorsten Alteholz)
   NOTE: upload in June/July
 --
diff --git a/packages/openssl.txt b/packages/openssl.txt
new file mode 100644
index 0000000000..c0f4a82e9e
--- /dev/null
+++ b/packages/openssl.txt
@@ -0,0 +1,7 @@
+NOTE: CVE-2015-4000 is not completely fixed.  We need to raise the
+minimum DH key length to 1024, but shouldn't do this while many
+servers still use 768 bits.  To set up a server to test against,
+edit ssl_dh_GetTmpParam() in apache2's modules/ssl/ssl_engine_dh.c
+to always return a short key.
+
+Drop this file once this has been done in all supported releases.
-- 
cgit v1.2.3