touch-packages team mailing list archive

Thread
Date

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Bryan Quigley <bryan.quigley@xxxxxxxxxxxxx>
Date: Wed, 25 Nov 2015 21:54:19 -0000
Reply-to: Bug 1510163 <1510163@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Tested both with ssllabs should go from F rating to C rating - POODLE
TLS issue should be gone, but SSLv3 will still be enabled.  That's a
separate bug - 1505328.

** Patch added: "trusty debdiff"
   https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525426/+files/gnutls26_2.12.23-12ubuntu2.3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

Status in gnutls26 package in Ubuntu:
  New

Bug description:
  [Impact] 
  Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

  
  [Test Case]
  launch a new trusty VM
  sudo apt-get install cups
  Open /etc/cups/cupsd.conf and change just this one section
  ...
  # Only listen for connections from the local machine.
  #Listen localhost:631
  Listen /var/run/cups/cups.sock

  SSLPort 443
  SSLOptions None
  ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com
  ...
  Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/

  [Regression Potential] 
  This is a simple off by one error, that's fixed in all newer versions of gnutls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

References

[Bug 1510163] [NEW] Poodle TLS1.0 issue in Trusty (and Precise)
From: Bryan Quigley, 2015-10-26