diff options
Diffstat (limited to 'debian/NEWS')
-rw-r--r-- | debian/NEWS | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 00000000..65ad0d25 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,73 @@ +boxbackup (0.13~~git20190527.g039c4a1-1) experimental; urgency=medium + + * Taken from upstream commit 55aacf51d83c28d1046dcde84df6dc18cee808af: + + Fix Debian bug 907135: weak certificates + + Debian Linux have recently upgraded to OpenSSL 1.1.1, which has + increased the default global security level from 1 to 2. Level 2 does + not accept certificates with 1024-bit keys, and certificates signed + with the SHA1 algorithm, considering them to be weak and therefore + dangerous. It now requires a minimum of 2048-bit keys and SHA256 + signatures. (At the time of writing, this change is only in Debian + Unstable, but it will eventually make its way into a stable release.) + + This has caused the following issues with Box Backup: + + * All existing certificates are signed with the SHA1 algorithm, and + can no longer be used (by default); and + * Some tests use 1024-bit certificates which can no longer be used + either. + + This change implements the workarounds to enable users to continue to + use old certificates, for the time being, with a warning: + + * Ensure that new installations are secure (stronger certificates + generated and required); + * Ensure that existing installations are not broken, even if they are + considered "weak"; + * Warn users if their certificates are (or might be) weak; + * Allow them to disable this warning if required (not recommended); + * Provide the option to not override the system-wide security level + (which may be higher than 2 in future). + + It does this by adding the new SSLSecurityLevel configuration option, + fixing the supplied scripts to generate stronger SSL certificates from + now on, replacing the old certificates used in tests, and adding tests + for the issue. If compiled with OpenSSL 1.0, existing behaviour will + not change, and the security level cannot be raised. The + SSLSecurityLevel option is recognised, but has no effect except to + show a warning that it is not supported. + + More work could be done on making it easier to regenerate + certificates, however some discussion is needed to come up with a plan + that works and helps users. + + See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details. + + -- Reinhard Tartler <siretart@tauware.de> Mon, 27 May 2019 18:19:12 -0400 + +boxbackup (0.11~rc2+r2072-1) unstable; urgency=low + + * The upstream parts of this file have been renamed to a new file called + NEWS.upstream to make the process of updating it easier. + + -- Reinhard Tartler <siretart@tauware.de> Wed, 01 Apr 2009 10:24:51 +0200 + +boxbackup (0.10-1) unstable; urgency=low + + * This Package has been initially prepared and mantained by Jérôme + Schell since 2004 in a private repository. I like the software, and + decided to take it over in order to have it in Debian. Please note + that I'm actively looking for co-maintainers, so do not hesitate to + get a copy of my bzr branch and share your commits with me. + + The only major change has been to drop the boxbackup-utils package. It + contained only one single command to manage certificates. It has been + moved to the boxbackup-server package. + + The complete debconf integration has been written by Jérôme. It works + for me quite well. If it doesn't for you, please file a bug and CC + Jérôme to that bugreport. Thanks. + + -- Reinhard Tartler <siretart@tauware.de> Wed, 25 Apr 2007 18:06:04 +0200 |