On 10/15/2014 8:16 AM, Jan Tomasek wrote:
is http://poodlebleed.com/ related to 389? I think it is, this is not
implementation flaw in OpenSSL, this seems to be related to the SSLv3
design.
From
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
:
Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and
other protocols with SSL support?
The current attack vector as shown by the researchers works with
controlling the plaintext sent to the server using Javascript being run
on the victim's machine. This vector does not apply to non-HTTPS
scenarios without using a browser.
Also, normally an SSL client doesn't allow the session to be downgraded
to SSLv3 (having TLSv1+ seen in the handshake capabilities), but
browsers want to be very backward compatible and the do. The combination
with controlling plaintext and the specific way a HTTP header is built
up makes it exploitable.
Conclusion: disable SSLv3 for HTTPS*now*, disable SSLv3 for other
services in your next service window.
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
