desktop-packages team mailing list archive

[Matt Coates <1383519@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Release:14.04.1
Version: 33.0+build2-0ubuntu0.14.04.1

Firefox should be configured to avoid falling back kto SSL 3.0 which is
a vulnerable protocol. This option should be configured by default.

More detail at:
http://www.kb.cert.org/vuls/id/577193

Browser reconfiguration info can be found at:
http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

This is slated to be fixed upstream in version 34, to be released in
late November.

For Ubuntu, the attached prefs files should be suficient.
(/usr/lib/firefox/defaults/pref/poodle.js)

-Matt

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "/usr/lib/firefox/defaults/pref/poodle.js"
   https://bugs.launchpad.net/bugs/1383519/+attachment/4240850/+files/poodle.js

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1383519

Title:
  SSL 3.0 is vulnerable, browser should not use

Status in “firefox” package in Ubuntu:
  New

Bug description:
  Release:14.04.1
  Version: 33.0+build2-0ubuntu0.14.04.1

  Firefox should be configured to avoid falling back kto SSL 3.0 which
  is a vulnerable protocol. This option should be configured by default.

  More detail at:
  http://www.kb.cert.org/vuls/id/577193

  Browser reconfiguration info can be found at:
  http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

  This is slated to be fixed upstream in version 34, to be released in
  late November.

  For Ubuntu, the attached prefs files should be suficient.
  (/usr/lib/firefox/defaults/pref/poodle.js)

  -Matt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1383519/+subscriptions