[Pkg-nginx-maintainers] Bug#982745: nginx-common: don't enable TLSv1 or TLSv1.1 in default configuration)

[Diederik de Haas]

Control: severity -1 grave
Control: notforwarded -1

I did not get any response to my bug report which I tagged with 'security', so 
I'm upping the severity and believe the Debian documentation justifies it.
https://www.debian.org/Bugs/Developer#severities says:
"Most security bugs should also be set at critical or grave severity."

Feel free to downgrade the severity if you don't agree this is a security or a 
'grave' issue (which should be fixed before Bullseye is released).
But then I'll at least know someone has seen and evaluated the issue.

I've also cleared the 'forwarded' as it is not an upstream issue.
https://salsa.debian.org/nginx-team/nginx/-/merge_requests/7 still contains my 
patch which fixes this issue by removing "TLSv1 TLSv1.1" from the 
"ssl_protocols" setting in debian/conf/nginx.conf

https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 says:
"The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 
or higher before June 30, 2018. In October 2018, Apple, Google, Microsoft, and 
Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20210420/84197ca3/attachment.sig>