touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #40794
[Bug 1400473] [NEW] Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
Public bug reported:
For PCI compliance, one must not be vulnerable to the POODLE or BEAST or
CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST
suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem
to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on
12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP
register_globals, which is required for lots of legacy production code
often used by sites with payment systems, and since Ubuntu 14.04 LTS
does not support apache 2.2, and since Ubuntu 10.04 LTS does not support
SHA256 signed SSL certificates, there may be no feasible way for someone
to run a credit card processing system with any Ubuntu LTS system if
they require both PCI compliance and PHP register_globals support.
It looks like manually compiling PHP may be the only plausible way to
surmount this issue in this particular circumstance.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
** Tags: apache2 openssl php tls
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1400473
Title:
Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is
vulnerable to BEAST attack
Status in openssl package in Ubuntu:
New
Bug description:
For PCI compliance, one must not be vulnerable to the POODLE or BEAST
or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST
suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not
seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4
on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP
register_globals, which is required for lots of legacy production code
often used by sites with payment systems, and since Ubuntu 14.04 LTS
does not support apache 2.2, and since Ubuntu 10.04 LTS does not
support SHA256 signed SSL certificates, there may be no feasible way
for someone to run a credit card processing system with any Ubuntu LTS
system if they require both PCI compliance and PHP register_globals
support.
It looks like manually compiling PHP may be the only plausible way to
surmount this issue in this particular circumstance.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions
Follow ups
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: Marc Deslauriers, 2015-03-17
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: Marc Deslauriers, 2015-03-17
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: RedScourge, 2015-03-17
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: Launchpad Bug Tracker, 2015-03-15
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: RedScourge, 2015-01-13
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: RedScourge, 2015-01-13
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: Marc Deslauriers, 2015-01-13
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: RedScourge, 2014-12-09
-
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: Marc Deslauriers, 2014-12-08
-
[Bug 1400473] [NEW] Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: RedScourge, 2014-12-08
References
