desktop-packages team mailing list archive

Thread
Date

[Bug 1383512] [NEW] SSL 3.0 is vulnerable, browser should not use

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Matt Coates <1383512@xxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Oct 2014 23:13:30 -0000
Reply-to: Bug 1383512 <1383512@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

Release:14.04.1 
Version: 37.0.2062.120-0ubuntu0.14.04.1~pkg1049

The Chromium browser requires an additonal flag to be specified at
invocation to avoid falling back kto SSL 3.0 which is a vulnerable
protocol.  This option/flag should be specified by default.  SSL 3.0 is
slated to be removed in the future, so the impact of this change is
inevitable.

More detail at:
http://www.kb.cert.org/vuls/id/577193

Browser reconfiguration info can be found at:
http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

For Ubuntu, the attached patch should be sufficient.
(chromium_poodle.patch)

-Matt

** Affects: chromium-browser (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "Work-around"
   https://bugs.launchpad.net/bugs/1383512/+attachment/4240841/+files/chromium_poodle.patch

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1383512

Title:
  SSL 3.0 is vulnerable, browser should  not use

Status in “chromium-browser” package in Ubuntu:
  New

Bug description:
  Release:14.04.1 
  Version: 37.0.2062.120-0ubuntu0.14.04.1~pkg1049

  The Chromium browser requires an additonal flag to be specified at
  invocation to avoid falling back kto SSL 3.0 which is a vulnerable
  protocol.  This option/flag should be specified by default.  SSL 3.0
  is slated to be removed in the future, so the impact of this change is
  inevitable.

  More detail at:
  http://www.kb.cert.org/vuls/id/577193

  Browser reconfiguration info can be found at:
  http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

  For Ubuntu, the attached patch should be sufficient.
  (chromium_poodle.patch)

  -Matt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1383512/+subscriptions

Follow ups

[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use
From: Jamie Strandboge, 2014-10-31
[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use
From: Ubuntu Foundations Team Bug Bot, 2014-10-21
[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20
[Bug 1383512] [NEW] SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20

References

[Bug 1383512] [NEW] SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20