Why no security update of apache2 concerning SSLv3?
Why hasn't there been a security update of apache2 concerning SSLv3,
making users vulnerable to POODLE when they use a client supporting
SSLv3?
According to various articles found via a Google search[*], it is
strongly advised to disable SSLv3. Does Debian think differently?
[*] in particular:
http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-on-server-really-a-solution
The problem is that some admin assumes that Debian's default is safe
thus doesn't want to change:
https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&group_id=1
"There was no update in the stable version, so the Debian
security team didn't deem this critical enough. If Debian
makes a security update this will be taken in account at
InriaForge (and other Debian7-based sites) :)"
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: