perfsonar-announce - Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
Subject: perfSONAR Announcements
List archive
- From: "Roderick Mooi" <>
- To: "perfsonar-user" <>, "perfsonar-announce" <>
- Cc: "" <>
- Subject: Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
- Date: Thu, 16 Oct 2014 09:37:47 +0200
Hi all
For 3.3., as I understand these articles, disabling SSLv3 (if that's an
option for you) should mitigate the vulnerability.
https://access.redhat.com/articles/1232123
https://access.redhat.com/solutions/1232413
In /etc/httpd/conf.d/ssl.conf
remove +SSLv3 from the line:
SSLProtocol -ALL +SSLv3 +TLSv1
so that it becomes:
SSLProtocol -ALL +TLSv1
and restart httpd
service httpd restart
Regards,
Roderick
>>> On 2014-10-15 at 17:01, Jason Zurawski
>>> <>
>>> wrote:
> Greetings;
>
> This morning a new vulnerability in the SSLv3 libraries was disclosed. The
> colloquial name is 'POODLE', keeping up this year's tradition of catchy
> ways
> to make you feel better about how you will spend part of your day patching
> devices. A write up is available here:
>
> https://access.redhat.com/articles/1232123
>
> And the full CVE from Redhat is here:
>
> https://access.redhat.com/security/cve/CVE-2014-3566
>
> The best way to summarize the risk is that someone attempting a man in the
> middle could steal authorization headers from HTTP traffic, and gain entry
> to
> a server. This naturally impacts all servers implementing SSLv3 protocols,
> including the perfSONAR Toolkit. There are no reports of perfSONAR servers
> being victimized by this vulnerability, but the risk is a danger for any
> communication that uses the vulnerable libraries.
>
> As of this morning (Oct 15 2014) there is not an upstream patch available
> from CentOS to correct the underlying problem in the libraries for servers.
>
> Our development team has taken the steps to modify the Apache configuration
> on the toolkit to disable use of SSLv3 within the 3.4 release of perfSONAR.
>
> A new package is available in our yum repository that addresses this. We
> are
> recommending that netinstall users:
>
> - Check your logs to see if the package has been automatically downloaded
> yet. The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and
> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS
>
> - If you don't see it automatically downloaded, 'yum update' by hand.
>
> A modification to the 3.3.2 release of the LiveCD is being built, but will
> take a more time. LiveCD users with concerns can power down, or expedite
> your
> migration to the netinstall platform. There will not be a 3.3 package
> released for netinstall users who have not upgraded yet - take this
> opportunity to upgrade to 3.4 if possible.
>
> We will keep everyone posted on when a patch from the upstream vendor is
> released - for now we are confident that the changes we are implementing on
> the server side will reduce the risk this vulnerability poses.
>
> Thanks;
>
> -jason
> --
> This message is subject to the CSIR's copyright terms and conditions,
> legal notice, and implemented Open Document Format (ODF) standard.
> The full disclaimer details can be found at
> http://www.csir.co.za/disclaimer.html.
>
> This message has been scanned for viruses and dangerous content by
> MailScanner,
> and is believed to be clean.
>
> Please consider the environment before printing this email.
--
This message is subject to the CSIR's copyright terms and conditions, e-mail
legal notice, and implemented Open Document Format (ODF) standard.
The full disclaimer details can be found at
http://www.csir.co.za/disclaimer.html.
This message has been scanned for viruses and dangerous content by
MailScanner,
and is believed to be clean.
Please consider the environment before printing this email.
- POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Jason Zurawski, 10/15/2014
- Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Roderick Mooi, 10/16/2014
- Re: [perfSONAR-developer] POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Jason Zurawski, 10/16/2014
- Message not available
- Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Jason Zurawski, 10/16/2014
- Re: [perfsonar-user] POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Fernando López Muñoz, 10/16/2014
- Re: [perfsonar-user] POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Andrew Lake, 10/16/2014
- 3.3 LiveCD with POODLE fixes now available, Andrew Lake, 10/17/2014
- Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566), Roderick Mooi, 10/16/2014
Archive powered by MHonArc 2.6.16.