[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: Bug#803204: libiksemel: utterly insecure GNUTLS settings
From:       Marc_Dequènes_(duck) <duck () duckcorp ! org>
Date:       2015-11-12 21:14:37
Message-ID: b4edb49f9b1a65f57344da8758a6a7c7 () webmail-rc ! duckcorp ! org
[Download RAW message or body]

Coin,

On 2015-11-12 11:04, Simon Josefsson wrote:
> I would suggest to use gnutls_set_default_priority() instead of
> hard-coding a priority string into applications.  Your hard coded
> priority string will be just as obsolete as the hard coded values you
> are replacing in a couple of years.

You're right, this is a better way to setup priorities. Please see my 
patch as an urgent fix only. I asked the maintainer to review it as he 
should have more experience than me. Besides, when I made this patch I 
had the user setup in mind: the library could (and should) easily accept 
a string from the caller software in order to allow different 
restrictions if the user wishes so (and fallback to your suggestion if 
not provided).

I also think upstream should be contacted, not sure it was done. I can't 
see a stable upload coming either.

Regards.

-- 
Marc Dequènes

[prev in list] [next in list] [prev in thread] [next in thread]