[Bug 1383379] Re: nginx default config has SSLv3 enabled, makes sites using default config options vulnerable to POODLE
Thomas Ward
teward at trekweb.org
Mon Oct 20 17:00:56 UTC 2014
** Description changed:
The included `default` config file contains a commented-out section for
SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`.
This means that systems are vulnerable to SSLv3 and the POODLE
vulnerability.
Can we remove that from the default section, even though it's commented
out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and
Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the
package.
+
+ This change was already made in Debian Unstable.
** Description changed:
The included `default` config file contains a commented-out section for
SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`.
This means that systems are vulnerable to SSLv3 and the POODLE
vulnerability.
Can we remove that from the default section, even though it's commented
out, so users don't use the insecure SSLv3 protocol anymore?
------
- In the PPAs, this affects all versions of the package in both Stable and
- Mainline.
+ NGINX Project:
+ In the PPAs, this affects all versions of the package in both Stable and Mainline.
+
+ ------
+
+ Ubuntu Project:
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the
package.
- This change was already made in Debian Unstable.
+ This change was already made/committed in Debian Unstable.
** Also affects: nginx (Ubuntu)
Importance: Undecided
Status: New
** Changed in: nginx
Assignee: (unassigned) => Thomas Ward (teward)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1383379
Title:
nginx default config has SSLv3 enabled, makes sites using default
config options vulnerable to POODLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/nginx/+bug/1383379/+subscriptions
More information about the Ubuntu-server-bugs
mailing list