desktop-packages team mailing list archive

Thread
Date

[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Fri, 31 Oct 2014 21:25:38 -0000
Reply-to: Bug 1383512 <1383512@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you for using Ubuntu and filing a bug. I'm going to mark this bug
as "Won't Fix" because we don't want to disable SSLv3 before upstream
and the rest of the internet. As mentioned, this change is planned and
will happen with new upstream security update releases.

** Changed in: chromium-browser (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1383512

Title:
  SSL 3.0 is vulnerable, browser should  not use

Status in “chromium-browser” package in Ubuntu:
  Won't Fix

Bug description:
  Release:14.04.1 
  Version: 37.0.2062.120-0ubuntu0.14.04.1~pkg1049

  The Chromium browser requires an additonal flag to be specified at
  invocation to avoid falling back kto SSL 3.0 which is a vulnerable
  protocol.  This option/flag should be specified by default.  SSL 3.0
  is slated to be removed in the future, so the impact of this change is
  inevitable.

  More detail at:
  http://www.kb.cert.org/vuls/id/577193

  Browser reconfiguration info can be found at:
  http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

  For Ubuntu, the attached patch should be sufficient.
  (chromium_poodle.patch)

  -Matt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1383512/+subscriptions

References

[Bug 1383512] [NEW] SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20