Hello Thisjs,
On Fri, Oct 31, 2014 at 08:37:51AM +0100, Thijs Kinkhorst wrote:
Package: nginx
Version: 1.6.2-2
Severity: important
Hi,
Please disable the legacy SSLv3 protocol by default for installations of
nginx. It doesn't need to be disabled completely per se, but should not
be available on a default installation.
This helps to defend against the recent "POODLE" attack (CVE-2014-3566).
Thanks,
Thijs
I have prepared a patch and I plan to merge it in a few days. SSLv3
is disabled in the http {} scope so it affects all vhosts that not
expicitly override it.
http://anonscm.debian.org/cgit/collab-maint/nginx.git/commit/?h=no-sslv3
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
