Re: Why no security update of apache2 concerning SSLv3?
On Thursday 12 March 2015 08:44:40 David Guyot wrote:
> Hello.
>
> That's a good question you're asking here. I, too, think that an
> Apache update should correct this default parameter. Nevertheless,
> it's probably because it's just an Apache parameter, not an Apache
> fault as such, that this default config have not been changed; I would
> say this is not a priority for the Debian developers. The default
> Debian config is designed as a balance between safety and usability,
> not as a vault like OpenBSD: it will be safe in MOST situations, but
> not all of them. Besides, Debian being a general purpose distro, the
> developers are forced to make compromises on the default configuration
> to allow it to function relatively well in most cases. That's why it
> can include config choices which are not the best ones regarding
> security, but the best compromise between security and usability, and
> between the various use cases.
>
> Even if it is strongly recommended to disable SSLv3, for certain
> installations like the ones above, it is not necessary. Beyond that,
> even if the default Debian config is safe, it is relative: for
> example, its default OpenSSH server config allows root login and login
> using password, wich is not recommended at all if you want a truly
> secured system, which is the case of most users with a publicly
> reachable Apache server: those ones are supposed to take care of their
> Apache config, the default one being designed not only for a publicly
> available website, but also for internal sites, such as an intranet or
> a test server.
>
> Hoping that I'm right on my interpretation of this Apache update lack,
Considering that I _am_ running an apache server here, AND it faces the
world, this lack of a fix for POODLE, seems to be a serious lack on the
part of the apache people for not pushing a fix, with lots of noise, or
if its available, a fairly serious screw you attitude on the part of the
debian folks in control of that. Strong language maybe, but it needs to
be said.
>
> Regards.
>
> Le jeudi 12 mars 2015 à 13:00 +0100, Vincent Lefevre a écrit :
> > Why hasn't there been a security update of apache2 concerning SSLv3,
> > making users vulnerable to POODLE when they use a client supporting
> > SSLv3?
> >
> > According to various articles found via a Google search[*], it is
> > strongly advised to disable SSLv3. Does Debian think differently?
> >
> > [*] in particular:
> > http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-o
> >n-server-really-a-solution
> >
> > The problem is that some admin assumes that Debian's default is safe
> > thus doesn't want to change:
> >
> >
> > https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&grou
> >p_id=1
> >
> > "There was no update in the stable version, so the Debian
> > security team didn't deem this critical enough. If Debian
> > makes a security update this will be taken in account at
> > InriaForge (and other Debian7-based sites) :)"
> >
> > --
> > Vincent Lefèvre <vincent@vinc17.net> - Web:
> > <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog:
> > <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic
> > / AriC project (LIP, ENS-Lyon)
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: