boxbackup (0.13~~git20190527.g039c4a1-1) experimental; urgency=medium * Taken from upstream commit 55aacf51d83c28d1046dcde84df6dc18cee808af: Fix Debian bug 907135: weak certificates Debian Linux have recently upgraded to OpenSSL 1.1.1, which has increased the default global security level from 1 to 2. Level 2 does not accept certificates with 1024-bit keys, and certificates signed with the SHA1 algorithm, considering them to be weak and therefore dangerous. It now requires a minimum of 2048-bit keys and SHA256 signatures. (At the time of writing, this change is only in Debian Unstable, but it will eventually make its way into a stable release.) This has caused the following issues with Box Backup: * All existing certificates are signed with the SHA1 algorithm, and can no longer be used (by default); and * Some tests use 1024-bit certificates which can no longer be used either. This change implements the workarounds to enable users to continue to use old certificates, for the time being, with a warning: * Ensure that new installations are secure (stronger certificates generated and required); * Ensure that existing installations are not broken, even if they are considered "weak"; * Warn users if their certificates are (or might be) weak; * Allow them to disable this warning if required (not recommended); * Provide the option to not override the system-wide security level (which may be higher than 2 in future). It does this by adding the new SSLSecurityLevel configuration option, fixing the supplied scripts to generate stronger SSL certificates from now on, replacing the old certificates used in tests, and adding tests for the issue. If compiled with OpenSSL 1.0, existing behaviour will not change, and the security level cannot be raised. The SSLSecurityLevel option is recognised, but has no effect except to show a warning that it is not supported. More work could be done on making it easier to regenerate certificates, however some discussion is needed to come up with a plan that works and helps users. See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates for more details. -- Reinhard Tartler Mon, 27 May 2019 18:19:12 -0400 boxbackup (0.11~rc2+r2072-1) unstable; urgency=low * The upstream parts of this file have been renamed to a new file called NEWS.upstream to make the process of updating it easier. -- Reinhard Tartler Wed, 01 Apr 2009 10:24:51 +0200 boxbackup (0.10-1) unstable; urgency=low * This Package has been initially prepared and mantained by Jérôme Schell since 2004 in a private repository. I like the software, and decided to take it over in order to have it in Debian. Please note that I'm actively looking for co-maintainers, so do not hesitate to get a copy of my bzr branch and share your commits with me. The only major change has been to drop the boxbackup-utils package. It contained only one single command to manage certificates. It has been moved to the boxbackup-server package. The complete debconf integration has been written by Jérôme. It works for me quite well. If it doesn't for you, please file a bug and CC Jérôme to that bugreport. Thanks. -- Reinhard Tartler Wed, 25 Apr 2007 18:06:04 +0200