desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #79158
[Bug 1383512] Re: SSL 3.0 is vulnerable, browser should not use
Thank you for using Ubuntu and filing a bug. I'm going to mark this bug
as "Won't Fix" because we don't want to disable SSLv3 before upstream
and the rest of the internet. As mentioned, this change is planned and
will happen with new upstream security update releases.
** Changed in: chromium-browser (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/1383512
Title:
SSL 3.0 is vulnerable, browser should not use
Status in “chromium-browser” package in Ubuntu:
Won't Fix
Bug description:
Release:14.04.1
Version: 37.0.2062.120-0ubuntu0.14.04.1~pkg1049
The Chromium browser requires an additonal flag to be specified at
invocation to avoid falling back kto SSL 3.0 which is a vulnerable
protocol. This option/flag should be specified by default. SSL 3.0
is slated to be removed in the future, so the impact of this change is
inevitable.
More detail at:
http://www.kb.cert.org/vuls/id/577193
Browser reconfiguration info can be found at:
http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/
For Ubuntu, the attached patch should be sufficient.
(chromium_poodle.patch)
-Matt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1383512/+subscriptions
References