summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristoph Goehre <chris@sigxcpu.org>2014-12-04 11:21:46 -0500
committerChristoph Goehre <chris@sigxcpu.org>2014-12-04 12:56:10 -0500
commitb5acb03f683647cb4b42c857f830c42bf120a28c (patch)
treed258e5b759459dc843d40d7519ca085557252deb
parent054b68ae0a198d8bd28c3c97b8e7aebfdcacfb64 (diff)
debian/NEWS: adding notes around new security changes
Mozilla has dropped the SSL 3.0 support. Now adding some information around this in debian/NEWS and debian/README.Debian. partially cherry picked from experimental branch (d64a847491ac3191ace43afd2192b8082e27e1db)
-rw-r--r--debian/NEWS9
-rw-r--r--debian/README.Debian23
2 files changed, 32 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
index ad05c23..6293b2b 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,12 @@
+icedove (31.3.0-1) unstable; urgency=low
+
+ Due to the BEAST vulnerability Icedove does not support SSLv3 encrypted
+ connections by default any longer.
+
+ However you can still reactivate SSLv3 as described in README.Debian.
+
+ -- Carsten Schoenert <c.schoenert@t-online.de> Wed, 12 Nov 2014 19:38:00 +0100
+
icedove (31.2.0-1) unstable; urgency=low
Mozilla implemented TLS 1.2 in NSS version 3.15.1 and Thunderbird 31.0 uses
diff --git a/debian/README.Debian b/debian/README.Debian
index 990d967..69a48bf 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -44,3 +44,26 @@ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761245
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 15 Oct 2014 18:38:00 +0200
+
+Reactivateing SSLV3 connectivity
+--------------------------------
+
+Due to POODLE and BEAST SSLv3 encrypted connections are not considered secure
+anymore. See [1], [2] and [3] for details. If you need to reactivate SSLv3 to
+use Icedove against legacy systems you have to change the settings for
+
+ "security.tls.version.min"
+
+and set the value to '0'.
+
+This setting can be found in the about:config summary.
+(available via "Edit ->> + Preferences -> Advanced -> General -> Config Editor").
+For details see
+http://kb.mozillazine.org/Security.tls.version.* as written above.
+
+Please read also:
+[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
+[2] https://www.openssl.org/~bodo/ssl-poodle.pdf
+[3] https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
+
+ -- Carsten Schoenert <c.schoenert@t-online.de> Wed, 12 Nov 2014 19:38:00 +0100