desktop-packages team mailing list archive

Thread
Date

[Bug 1383519] Re: SSL 3.0 is vulnerable, browser should not use

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Fri, 31 Oct 2014 21:27:13 -0000
Reply-to: Bug 1383519 <1383519@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you for using Ubuntu and filing a bug. I am going to mark this as
"Won't Fix" for now since we don't want to disable SSLv3 ahead of
upstream of the rest of the internet. Firefox plans to disable SSLv3 by
default soon, so this update will happen when the new upstream release
is pushed to Ubuntu.

** Changed in: firefox (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1383519

Title:
  SSL 3.0 is vulnerable, browser should not use

Status in “firefox” package in Ubuntu:
  Won't Fix

Bug description:
  Release:14.04.1
  Version: 33.0+build2-0ubuntu0.14.04.1

  Firefox should be configured to avoid falling back kto SSL 3.0 which
  is a vulnerable protocol. This option should be configured by default.

  More detail at:
  http://www.kb.cert.org/vuls/id/577193

  Browser reconfiguration info can be found at:
  http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/

  This is slated to be fixed upstream in version 34, to be released in
  late November.

  For Ubuntu, the attached prefs files should be suficient.
  (/usr/lib/firefox/defaults/pref/poodle.js)

  -Matt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1383519/+subscriptions

References

[Bug 1383519] [NEW] SSL 3.0 is vulnerable, browser should not use
From: Matt Coates, 2014-10-20