[jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

Wed, 05 Nov 2014 23:49:11 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14199962#comment-14199962
 ] 

Jacques Le Roux commented on OFBIZ-5848:
----------------------------------------

Hi Vikas,

Thanks for your good questions.

# We have already https://ofbiz.apache.org/download.html#vulnerabilities but we 
could indeed put a link to that from the news section on main page
# There is currently a discussion within the PMC about this subject. I don't 
unveil any important secrets by saying that for this bug we tend rather to send 
a notice on the user ML. Because fixing the bug in the releases branches is not 
enough. People with not supported releases would not be aware of the issue. And 
we don't want to create a new release right now because this bug is not really 
part of the OFBiz code and only need a configuration change. I suggested to put 
the  notice sent to the user ML also on the Dowload page where it will stay as 
a reminder. This last point as not been yet discussed.

> Poodle-disable sslv3
> --------------------
>
>                 Key: OFBIZ-5848
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-5848
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: Trunk
>         Environment: unix
>            Reporter: Poodle Fixer
>            Assignee: Jacques Le Roux
>            Priority: Critical
>              Labels: patch, security
>             Fix For: Upcoming Branch, 12.04.06, 13.07.02
>
>
> Hi there-- 
> This topic seemed relevant because it is a major security issue that recently 
> came up and will affect many ecommerce sites for ofbiz. 
> I am in process of trying to disable sslv3 on our version of of 
> ofbiz uses tomcat 6. 
> This is to eliminate the security vulnerability from poodle bleed. 
> http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
> We have tried updating the of ofbiz-containers.xml file like below, but it 
> did not disable sslv3. Poodle is still there. 
> I have also seen fixes that update server.xml with something similar. 
> <property name="sslProtocol" value="TLS"/>  
> <property name="sslEnabledProtocols" value="TLSv1"/>  
> Has anyone else had luck fixing the poodle issue on Apache ofbiz? 
> Or in any of biz products… where is the best place to fix this in of biz??
> Thanks! 
> The Poodle fixer :)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to