[Bug 1505328] [NEW] Cups SSL is vulernable to POODLE

Launchpad Bug Tracker 1505328 at bugs.launchpad.net
Tue Nov 17 21:04:57 UTC 2015


*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Bryan Quigley (bryanquigley):

[Impact]

 * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
 * Users who have clients that don't support TLS1.0 will not be able to connect, unless
 they specify the additional options in cupsd.conf.

[Test Case]

 * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
   * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
 * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

[Regression Potential]

 * One assumption was this should only affect WinXP and even then only
IE6 winxp users.  If incorrect more could be affected.

 * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case.  There's no evidence of this and other distros
have deployed a very similar patch.

[Other Info]

 * Only targetting 14.04 because of my assumption that if you're on
12.04 you are more likely to have older clients connecting to it.

Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle,
and there does not appear to be any way to mitigate it in Cups config.

Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on

Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and backport
the option to turn it back on?

** Affects: cups (Ubuntu)
     Importance: High
         Status: New


** Tags: patch poodle precise trusty
-- 
Cups SSL is vulernable to POODLE
https://bugs.launchpad.net/bugs/1505328
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.



More information about the Ubuntu-sponsors mailing list