From 7afe2262e8139f9531d15614d90bad7458570729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hertzog@debian.org>
Date: Mon, 20 Jul 2015 13:48:31 +0000
Subject: Mark CVE-2015-4000 as fixed by DLA-247-1

But add a note in packages/openssl.txt so that we don't forget to increase
the minimum DH key length to 1024 bits.

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@35591 e39458fd-73e7-0310-bf30-c45bca0a0e42
---
 packages/openssl.txt | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 packages/openssl.txt

(limited to 'packages')

diff --git a/packages/openssl.txt b/packages/openssl.txt
new file mode 100644
index 0000000000..c0f4a82e9e
--- /dev/null
+++ b/packages/openssl.txt
@@ -0,0 +1,7 @@
+NOTE: CVE-2015-4000 is not completely fixed.  We need to raise the
+minimum DH key length to 1024, but shouldn't do this while many
+servers still use 768 bits.  To set up a server to test against,
+edit ssl_dh_GetTmpParam() in apache2's modules/ssl/ssl_engine_dh.c
+to always return a short key.
+
+Drop this file once this has been done in all supported releases.
-- 
cgit v1.2.3