← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #121582

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10

---------------
gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low

  * SECURITY UPDATE: Poodle TLS issue
    - debian/patches/fix_tls_poodle.patch: fixes off by one
      issue in padding check.
      Patch created by Hanno Boeck (https://hboeck.de/)
    (LP: #1510163)

 -- Bryan Quigley <bryan.quigley@xxxxxxxxxxxxx>  Wed, 25 Nov 2015
21:37:58 +0000

** Changed in: gnutls26 (Ubuntu Precise)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

Status in gnutls26 package in Ubuntu:
  Fix Released
Status in gnutls26 source package in Precise:
  Fix Released
Status in gnutls26 source package in Trusty:
  Fix Released

Bug description:
  [Impact] 
  Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

  
  [Test Case]
  launch a new trusty VM
  sudo apt-get install cups
  Open /etc/cups/cupsd.conf and change just this one section
  ...
  # Only listen for connections from the local machine.
  #Listen localhost:631
  Listen /var/run/cups/cups.sock

  SSLPort 443
  SSLOptions None
  ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com
  ...
  Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/

  [Regression Potential] 
  This is a simple off by one error, that's fixed in all newer versions of gnutls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

References

  Thread PreviousDate PreviousThread Next