[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE

Version: 2.0.2-1

Hi Frederic, hi Stable & LTS teams,

Frederic's suggestion is to patch CUPS to disable SSLv3 and RC4 algorithms to 
protect CUPS from the POODLE vulnerability.

Have we removed protocols' support in {old,}stable  before? Ubuntu applied 
this patch in Ubuntu Trusty, and RedHat did it in RHEL-7. I can prepare the 
patches if that's OKay for the LTS and stable release teams.

Looking forward to your feedback!

Le vendredi, 30 septembre 2016, 12.52:55 h CEST Frederic Bonnard a écrit :
> would it be possible to review and maybe have this patch in wheezy ? (maybe
> also jessie as all cups < 2.1b1 are concerned).
> It has been applied in Redhat/Centos and Ubuntu in greater version (1.6.3
> and 1.7.2).
> I disables SSLv3 by default but gives the possibility with AllowSSL3 to
> turns SSLv3 back on and also AllowRC4 turns on just the RC4 cyphers.
> I tried to backport it to 1.5.3, so double checking would be nice.
> I tried it and it seems to work (also options to re-enable SSL3/RC4
> cyphers). For Jessie, it seems that the patch from Ubuntu
> cups-1.7.2-0ubuntu1.7 applies with some refresh.
> https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163
> https://bugzilla.redhat.com/show_bug.cgi?id=1161172
> https://www.cups.org/str.php?L4476

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: