Why no security update of apache2 concerning SSLv3?

To: debian-user@lists.debian.org
Subject: Why no security update of apache2 concerning SSLv3?
From: Vincent Lefevre <vincent@vinc17.net>
Date: Thu, 12 Mar 2015 13:00:39 +0100
Message-id: <[🔎] 20150312120039.GE10276@ypig.lip.ens-lyon.fr>
Mail-followup-to: debian-user@lists.debian.org

Why hasn't there been a security update of apache2 concerning SSLv3,
making users vulnerable to POODLE when they use a client supporting
SSLv3?

According to various articles found via a Google search[*], it is
strongly advised to disable SSLv3. Does Debian think differently?

[*] in particular:
http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-on-server-really-a-solution

The problem is that some admin assumes that Debian's default is safe
thus doesn't want to change:

  https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&group_id=1

    "There was no update in the stable version, so the Debian
    security team didn't deem this critical enough. If Debian
    makes a security update this will be taken in account at
    InriaForge (and other Debian7-based sites) :)"

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Why no security update of apache2 concerning SSLv3?
  - From: David Guyot <david.guyot@europecamions-interactive.com>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Jochen Spieker <ml@well-adjusted.de>

Prev by Date: Re: No feedback from systemd / "systemctl stop X"... Nothing on stdout, nothing that `echo $?` can see...
Next by Date: Re: Why no security update of apache2 concerning SSLv3?
Previous by thread: Re: Debian 7 and screensavers
Next by thread: Re: Why no security update of apache2 concerning SSLv3?
Index(es):
- Date
- Thread