desktop-packages team mailing list archive

Thread
Date

[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Matt Coates <1383512@xxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Oct 2014 23:19:43 -0000
Reply-to: Bug 1383512 <1383512@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1383512

Title:
  SSL 3.0 is vulnerable, browser should  not use

Status in “chromium-browser” package in Ubuntu:
  New

Bug description:
  Release:14.04.1 
  Version: 37.0.2062.120-0ubuntu0.14.04.1~pkg1049

  The Chromium browser requires an additonal flag to be specified at
  invocation to avoid falling back kto SSL 3.0 which is a vulnerable
  protocol.  This option/flag should be specified by default.  SSL 3.0
  is slated to be removed in the future, so the impact of this change is
  inevitable.

  More detail at:
  http://www.kb.cert.org/vuls/id/577193

  Browser reconfiguration info can be found at:
  http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

  For Ubuntu, the attached patch should be sufficient.
  (chromium_poodle.patch)

  -Matt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1383512/+subscriptions

References

[Bug 1383512] [NEW] SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20