[Bug 1383379] Re: nginx default config has SSLv3 enabled, makes sites using default config options vulnerable to POODLE

Thomas Ward teward at trekweb.org
Mon Oct 20 17:00:56 UTC 2014


** Description changed:

  The included `default` config file contains a commented-out section for
  SSL.
  
  That SSL section has the SSLv3 parameter provided for `ssl_protocols`.
  This means that systems are vulnerable to SSLv3 and the POODLE
  vulnerability.
  
  Can we remove that from the default section, even though it's commented
  out, so users don't use the insecure SSLv3 protocol anymore?
  
  ------
  
  In the PPAs, this affects all versions of the package in both Stable and
  Mainline.
  
  In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the
  package.
+ 
+ This change was already made in Debian Unstable.

** Description changed:

  The included `default` config file contains a commented-out section for
  SSL.
  
  That SSL section has the SSLv3 parameter provided for `ssl_protocols`.
  This means that systems are vulnerable to SSLv3 and the POODLE
  vulnerability.
  
  Can we remove that from the default section, even though it's commented
  out, so users don't use the insecure SSLv3 protocol anymore?
  
  ------
  
- In the PPAs, this affects all versions of the package in both Stable and
- Mainline.
+ NGINX Project:
+ In the PPAs, this affects all versions of the package in both Stable and Mainline.
+ 
+ ------
+ 
+ Ubuntu Project:
  
  In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the
  package.
  
- This change was already made in Debian Unstable.
+ This change was already made/committed in Debian Unstable.

** Also affects: nginx (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: nginx
     Assignee: (unassigned) => Thomas Ward (teward)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1383379

Title:
  nginx default config has SSLv3 enabled, makes sites using default
  config options vulnerable to POODLE

To manage notifications about this bug go to:
https://bugs.launchpad.net/nginx/+bug/1383379/+subscriptions



More information about the Ubuntu-server-bugs mailing list