[Bug 1505328] Re: Cups SSL is vulernable to POODLE

Marc Deslauriers marc.deslauriers at canonical.com
Fri Dec 11 18:43:16 UTC 2015 

ACK on the updated debdiff, thanks!

I've changed my mind, and will release it as a security update after all
if testing goes well.

Thanks!

** Changed in: cups (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  Fix Released
Status in cups source package in Trusty:
  Triaged

Bug description:
  [Impact]

   * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
   * Users who have clients that don't support TLS1.0 will not be able to connect, unless
   they specify the additional options in cupsd.conf.

  [Test Case]

   * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
     * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
   * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

  [Regression Potential]

   * One assumption was this should only affect WinXP and even then only
  IE6 winxp users.  If incorrect more could be affected.

   * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
  some unknown corner case.  There's no evidence of this and other
  distros have deployed a very similar patch.

  [Other Info]

   * Only targetting 14.04 because of my assumption that if you're on
  12.04 you are more likely to have older clients connecting to it.

  Original description:

  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
  Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on

  Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

More information about the Ubuntu-sponsors mailing list