Skip to content

Release proposal: v0.12.12 (LTS)

Rodrigo Muino Tomonari requested to merge v0.12.12-proposal into v0.12

This adds a commit that was missed in v0.12.11 but should have gone out with it. I don't believe this is a big deal because SSLv2 has to be enabled with OpenSSL 1.0.1s which we didn't do on v0.12.11 so --enable-ssl2 probably does nothing, although I haven't tested what it does yet. This properly removes it.

By chance, I also forgot to put the "Remove SSLv2 support" item in "Notable changes" for v0.12.11 and was going to submit a fixup PR to add it to the ChangeLog. But it wasn't properly removed anyway!

/cc @bnoordhuis

Notable changes:

  • openssl: Remove SSLv2 support, the --enable-ssl2 command line argument will now produce an error. The DROWN Attack (https://drownattack.com/) creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at https://www.openssl.org/news/vulnerabilities.html#2016-0800

Merge request reports