Skip to Content.
Sympa Menu

perfsonar-announce - Re: [perfsonar-user] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Subject: perfSONAR Announcements

List archive

Re: [perfsonar-user] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)


Chronological Thread 
  • From: Andrew Lake <>
  • To: Fernando López Muñoz <>
  • Cc: "" <>, perfsonar-user <>, perfsonar-announce <>
  • Subject: Re: [perfsonar-user] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
  • Date: Thu, 16 Oct 2014 07:51:27 -0400

Hi,

It appears to now. Likely the mirror needed time to update. 


Thanks,
Andy


On Oct 16, 2014, at 4:14 AM, Fernando López Muñoz <> wrote:

Hi Jason,

It seems that mirror in ftp.sunet.se doesn't have the corrected version of perl-perfSONAR_PS-Toolkit and perl-perfSONAR_PS-Toolkit-SystemEnvironment

Can you check?

Many thanks


Fernando López Muñoz
PIC (Port d'Informació Científica)
Campus UAB, Edificio D
E-08193 Bellaterra, Barcelona
Tel: +34 93 581 33 08
Fax: +34 93 581 41 10
http://www.pic.es Avis - Aviso - Legal Notice: http://www.ifae.es/legal.html

On Wed, Oct 15, 2014 at 5:01 PM, Jason Zurawski <> wrote:
Greetings;

This morning a new vulnerability in the SSLv3 libraries was disclosed.  The colloquial name is 'POODLE', keeping up this year's tradition of catchy ways to make you feel better about how you will spend part of your day patching devices.  A write up is available here:

https://access.redhat.com/articles/1232123

And the full CVE from Redhat is here:

https://access.redhat.com/security/cve/CVE-2014-3566

The best way to summarize the risk is that someone attempting a man in the middle could steal authorization headers from HTTP traffic, and gain entry to a server.  This naturally impacts all servers implementing SSLv3 protocols, including the perfSONAR Toolkit.  There are no reports of perfSONAR servers being victimized by this vulnerability, but the risk is a danger for any communication that uses the vulnerable libraries.

As of this morning (Oct 15 2014) there is not an upstream patch available from CentOS to correct the underlying problem in the libraries for servers.  Our development team has taken the steps to modify the Apache configuration on the toolkit to disable use of SSLv3 within the 3.4 release of perfSONAR.  A new package is available in our yum repository that addresses this.  We are recommending that netinstall users:

 - Check your logs to see if the package has been automatically downloaded yet.  The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS

 - If you don't see it automatically downloaded, 'yum update' by hand.

A modification to the 3.3.2 release of the LiveCD is being built, but will take a more time. LiveCD users with concerns can power down, or expedite your migration to the netinstall platform.  There will not be a 3.3 package released for netinstall users who have not upgraded yet - take this opportunity to upgrade to 3.4 if possible.

We will keep everyone posted on when a patch from the upstream vendor is released - for now we are confident that the changes we are implementing on the server side will reduce the risk this vulnerability poses.

Thanks;

-jason





Archive powered by MHonArc 2.6.16.

Top of Page