desktop-packages team mailing list archive

Thread
Date

[Bug 1505328] Re: Cups SSL is vulernable to POODLE

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Tue, 10 Nov 2015 13:20:51 -0000
Reply-to: Bug 1505328 <1505328@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

1- The debdiff in comment #9 still contains an extra cups-1.7.2/lets_patch_this.patch section. Could you please remove it?
2- Please add an origin tag to the patch that traces back to redhat's 1161172 bug, since I believe that's what you based the backport on

3- Also, I don't think we should do this change:


@@ -4811,7 +4813,10 @@
   if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls)
   {
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
-    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
+    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0");
+    else
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
   }
 #endif /* HAVE_SSL */
 
@@ -5572,7 +5590,10 @@
 
   httpClearFields(http);
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
-  httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
+  if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0");
+  else
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
 
   if ((ret = httpOptions(http, "*")) == 0)
   {

It doesn't make sense to "upgrade" to sslv3.

So, looking at the patch, I believe this should be an SRU, and not a
security update.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
  Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on

  Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

References

[Bug 1505328] [NEW] Cups SSL is vulernable to POODLE
From: Bryan Quigley, 2015-10-12