[Bug 1383379] Re: nginx default config has SSLv3 enabled, makes sites using default config options vulnerable to POODLE
Thomas Ward
teward at trekweb.org
Wed Oct 22 16:16:01 UTC 2014
In discussion with mdeslaur on IRC, I'm attaching DebDiffs for Ubuntu in
the off chance the release team wishes to push these changes.
A few extra details as to why this is extremely relevant to being pushed
and updated: A lot of newbie users that we see in the NGINX IRC channel
for support end up using the default configuration file(s) as a
template/law for their sites, and we end up seeing them just uncomment
the SSL portion and use it. That opens them up to the POODLE
vulnerability.
Upstream, in Debian, this was revised per POODLE so newbies wouldn't be
exposing themselves to vulnerability, hence the rationale for this
perhaps being pushed/updated. Unfortunately, all versions of nginx
(including Lucid, which is being ignored intentionally) are impacted by
POODLE and SSLv3, so it's better to just remove the SSLv3 protocol from
the ssl_protocols line, mainly to prevent newbies from making their
systems open to attack.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1383379
Title:
nginx default config has SSLv3 enabled, makes sites using default
config options vulnerable to POODLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/nginx/+bug/1383379/+subscriptions
More information about the Ubuntu-server-bugs
mailing list