[Bug 1389264] [NEW] ZNC SSL listeners are vulnerable to POODLE.

[Launchpad Bug Tracker]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Thomas Ward (teward):

This is a report on the state of the ZNC package in Ubuntu.

Currently, the ZNC package is vulnerable to CVE-2014-3566 and the POODLE
vulnerability.  It does not disable SSLv3 and does not permit an
individual to change what is or is not enabled in SSL protocols.

An upstream ZNC issue was opened on this issue, requesting that the
insecure SSLv2 and SSLv3 are disabled, as well as a request to be able
to specify the SSL Ciphers to be used.  That issue is at
https://github.com/znc/znc/issues/621.

https://github.com/jpnurmi/znc/commit/954f22ccc0ee8a77ed96756e154993dc9e8402af
is the relevant code commit which fixes the SSLv3 support issue and
disables SSLv2 and SSlv3.

The related CVE is the OpenSSL POODLE vulnerability - CVE-2014-3566.

All versions of the ZNC software are affected at this time.

** Affects: znc (Ubuntu)
     Importance: Undecided
         Status: Confirmed

** Affects: znc (Ubuntu Precise)
     Importance: Undecided
         Status: Won't Fix

** Affects: znc (Ubuntu Trusty)
     Importance: Undecided
         Status: Won't Fix

** Affects: znc (Ubuntu Utopic)
     Importance: Undecided
         Status: Won't Fix

** Affects: znc (Ubuntu Vivid)
     Importance: Undecided
         Status: Confirmed


** Tags: poodle
-- 
ZNC SSL listeners are vulnerable to POODLE.
https://bugs.launchpad.net/bugs/1389264
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.