Version: 2.0.2-1
Hi Frederic, hi Stable & LTS teams,
Frederic's suggestion is to patch CUPS to disable SSLv3 and RC4 algorithms to
protect CUPS from the POODLE vulnerability.
Have we removed protocols' support in {old,}stable before? Ubuntu applied
this patch in Ubuntu Trusty, and RedHat did it in RHEL-7. I can prepare the
patches if that's OKay for the LTS and stable release teams.
Looking forward to your feedback!
Cheers,
OdyX
Le vendredi, 30 septembre 2016, 12.52:55 h CEST Frederic Bonnard a écrit :
> would it be possible to review and maybe have this patch in wheezy ? (maybe
> also jessie as all cups < 2.1b1 are concerned).
> It has been applied in Redhat/Centos and Ubuntu in greater version (1.6.3
> and 1.7.2).
> I disables SSLv3 by default but gives the possibility with AllowSSL3 to
> turns SSLv3 back on and also AllowRC4 turns on just the RC4 cyphers.
> I tried to backport it to 1.5.3, so double checking would be nice.
> I tried it and it seems to work (also options to re-enable SSL3/RC4
> cyphers). For Jessie, it seems that the patch from Ubuntu
> cups-1.7.2-0ubuntu1.7 applies with some refresh.
>
> https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163
> https://bugzilla.redhat.com/show_bug.cgi?id=1161172
> https://www.cups.org/str.php?L4476
Attachment:
signature.asc
Description: This is a digitally signed message part.