summaryrefslogtreecommitdiff
path: root/debian/NEWS
blob: 65ad0d25d8163e5f3a8aaa2270d9afbaf71049a9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
boxbackup (0.13~~git20190527.g039c4a1-1) experimental; urgency=medium

  * Taken from upstream commit 55aacf51d83c28d1046dcde84df6dc18cee808af:

    Fix Debian bug 907135: weak certificates

    Debian Linux have recently upgraded to OpenSSL 1.1.1, which has
    increased the default global security level from 1 to 2. Level 2 does
    not accept certificates with 1024-bit keys, and certificates signed
    with the SHA1 algorithm, considering them to be weak and therefore
    dangerous. It now requires a minimum of 2048-bit keys and SHA256
    signatures. (At the time of writing, this change is only in Debian
    Unstable, but it will eventually make its way into a stable release.)

    This has caused the following issues with Box Backup:

    * All existing certificates are signed with the SHA1 algorithm, and
      can no longer be used (by default); and
    * Some tests use 1024-bit certificates which can no longer be used
    either.

    This change implements the workarounds to enable users to continue to
    use old certificates, for the time being, with a warning:

    * Ensure that new installations are secure (stronger certificates
      generated and required);
    * Ensure that existing installations are not broken, even if they are
      considered "weak";
    * Warn users if their certificates are (or might be) weak;
    * Allow them to disable this warning if required (not recommended);
    * Provide the option to not override the system-wide security level
      (which may be higher than 2 in future).

    It does this by adding the new SSLSecurityLevel configuration option,
    fixing the supplied scripts to generate stronger SSL certificates from
    now on, replacing the old certificates used in tests, and adding tests
    for the issue.  If compiled with OpenSSL 1.0, existing behaviour will
    not change, and the security level cannot be raised. The
    SSLSecurityLevel option is recognised, but has no effect except to
    show a warning that it is not supported.

    More work could be done on making it easier to regenerate
    certificates, however some discussion is needed to come up with a plan
    that works and helps users.

    See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details.

 -- Reinhard Tartler <siretart@tauware.de>  Mon, 27 May 2019 18:19:12 -0400

boxbackup (0.11~rc2+r2072-1) unstable; urgency=low

  * The upstream parts of this file have been renamed to a new file called
    NEWS.upstream to make the process of updating it easier.

 -- Reinhard Tartler <siretart@tauware.de>  Wed, 01 Apr 2009 10:24:51 +0200

boxbackup (0.10-1) unstable; urgency=low

  * This Package has been initially prepared and mantained by Jérôme
    Schell since 2004 in a private repository. I like the software, and
    decided to take it over in order to have it in Debian. Please note
    that I'm actively looking for co-maintainers, so do not hesitate to
    get a copy of my bzr branch and share your commits with me.

    The only major change has been to drop the boxbackup-utils package. It
    contained only one single command to manage certificates. It has been
    moved to the boxbackup-server package.

    The complete debconf integration has been written by Jérôme. It works
    for me quite well. If it doesn't for you, please file a bug and CC
    Jérôme to that bugreport. Thanks.

 -- Reinhard Tartler <siretart@tauware.de>  Wed, 25 Apr 2007 18:06:04 +0200