Skip to Content.
Sympa Menu

perfsonar-announce - Re: [perfSONAR-developer] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Subject: perfsonar-announce

List archive

Re: [perfSONAR-developer] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)


Chronological Thread 
  • From: Jason Zurawski <>
  • To: perfsonar-user <>, perfsonar-announce <>
  • Cc:
  • Subject: Re: [perfSONAR-developer] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
  • Date: Thu, 16 Oct 2014 07:19:48 -0700

All;

The same fix for 3.3 is available in the 'vault' we are maintaining:

http://software.internet2.edu/vault/3.3

For those that have not upgraded to 3.4, they can enable the vault (and
disable the main repo) so that yum uses it, or they can download/install the
RPMs by hand.

Thanks;

-jason

On Oct 16, 2014, at 12:37 AM, Roderick Mooi
<>
wrote:

> Hi all
>
> For 3.3., as I understand these articles, disabling SSLv3 (if that's an
> option for you) should mitigate the vulnerability.
>
> https://access.redhat.com/articles/1232123
> https://access.redhat.com/solutions/1232413
>
> In /etc/httpd/conf.d/ssl.conf
> remove +SSLv3 from the line:
> SSLProtocol -ALL +SSLv3 +TLSv1
> so that it becomes:
> SSLProtocol -ALL +TLSv1
> and restart httpd
> service httpd restart
>
> Regards,
>
> Roderick
>
>>>> On 2014-10-15 at 17:01, Jason Zurawski
>>>> <>
>>>> wrote:
>> Greetings;
>>
>> This morning a new vulnerability in the SSLv3 libraries was disclosed.
>> The
>> colloquial name is 'POODLE', keeping up this year's tradition of catchy
>> ways
>> to make you feel better about how you will spend part of your day patching
>> devices. A write up is available here:
>>
>> https://access.redhat.com/articles/1232123
>>
>> And the full CVE from Redhat is here:
>>
>> https://access.redhat.com/security/cve/CVE-2014-3566
>>
>> The best way to summarize the risk is that someone attempting a man in the
>> middle could steal authorization headers from HTTP traffic, and gain entry
>> to
>> a server. This naturally impacts all servers implementing SSLv3
>> protocols,
>> including the perfSONAR Toolkit. There are no reports of perfSONAR
>> servers
>> being victimized by this vulnerability, but the risk is a danger for any
>> communication that uses the vulnerable libraries.
>>
>> As of this morning (Oct 15 2014) there is not an upstream patch available
>> from CentOS to correct the underlying problem in the libraries for
>> servers.
>> Our development team has taken the steps to modify the Apache
>> configuration
>> on the toolkit to disable use of SSLv3 within the 3.4 release of
>> perfSONAR.
>> A new package is available in our yum repository that addresses this. We
>> are
>> recommending that netinstall users:
>>
>> - Check your logs to see if the package has been automatically downloaded
>> yet. The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and
>> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS
>>
>> - If you don't see it automatically downloaded, 'yum update' by hand.
>>
>> A modification to the 3.3.2 release of the LiveCD is being built, but will
>> take a more time. LiveCD users with concerns can power down, or expedite
>> your
>> migration to the netinstall platform. There will not be a 3.3 package
>> released for netinstall users who have not upgraded yet - take this
>> opportunity to upgrade to 3.4 if possible.
>>
>> We will keep everyone posted on when a patch from the upstream vendor is
>> released - for now we are confident that the changes we are implementing
>> on
>> the server side will reduce the risk this vulnerability poses.
>>
>> Thanks;
>>
>> -jason



Archive powered by MHonArc 2.6.16.

Top of Page