desktop-packages team mailing list archive

Thread
Date

[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Ubuntu Foundations Team Bug Bot <1383512@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Oct 2014 00:22:33 -0000
Reply-to: Bug 1383512 <1383512@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The attachment "chromium_poodle.patch" seems to be a patch.  If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1383512

Title:
  SSL 3.0 is vulnerable, browser should  not use

Status in “chromium-browser” package in Ubuntu:
  New

Bug description:
  Release:14.04.1 
  Version: 37.0.2062.120-0ubuntu0.14.04.1~pkg1049

  The Chromium browser requires an additonal flag to be specified at
  invocation to avoid falling back kto SSL 3.0 which is a vulnerable
  protocol.  This option/flag should be specified by default.  SSL 3.0
  is slated to be removed in the future, so the impact of this change is
  inevitable.

  More detail at:
  http://www.kb.cert.org/vuls/id/577193

  Browser reconfiguration info can be found at:
  http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

  For Ubuntu, the attached patch should be sufficient.
  (chromium_poodle.patch)

  -Matt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1383512/+subscriptions

References

[Bug 1383512] [NEW] SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20