desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #149370
[Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Description changed:
+ [Impact]
+
+ * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
+ * Users who have clients that don't support TLS1.0 will not be able to connect, unless
+ they specify the additional options in cupsd.conf.
+
+ [Test Case]
+
+ * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
+ * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
+ * Same but specify SSLOptions to AllowSSL3 or AllowRC4.
+
+ [Regression Potential]
+
+ * One assumption was this should only affect WinXP and even then only
+ IE6 winxp users. If incorrect more could be affected.
+
+ * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
+ some unknown corner case. There's no evidence of this and other distros
+ have deployed a very similar patch.
+
+ [Other Info]
+
+ * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it.
+
+
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle,
and there does not appear to be any way to mitigate it in Cups config.
Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476
Should we disable ssvl3 in the 12.04/14.04 cups by default and backport
the option to turn it back on?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328
Title:
Cups SSL is vulernable to POODLE
Status in cups package in Ubuntu:
New
Bug description:
[Impact]
* Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
* Users who have clients that don't support TLS1.0 will not be able to connect, unless
they specify the additional options in cupsd.conf.
[Test Case]
* Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
* This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
* Same but specify SSLOptions to AllowSSL3 or AllowRC4.
[Regression Potential]
* One assumption was this should only affect WinXP and even then only
IE6 winxp users. If incorrect more could be affected.
* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case. There's no evidence of this and other
distros have deployed a very similar patch.
[Other Info]
* Only targetting 14.04 because of my assumption that if you're on
12.04 you are more likely to have older clients connecting to it.
Original description:
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
poodle, and there does not appear to be any way to mitigate it in Cups
config.
Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476
Should we disable ssvl3 in the 12.04/14.04 cups by default and
backport the option to turn it back on?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions
References