Hi Paul, > I think we should apply the patch now anyway; we'll want to know that it > works for backports to the stable branch(es), and in any case the upgrade to > 2.7.9 is not going to be a straightforward task based upon my earlier attempt > to upgrade to 2.7.6 (the current state of which is still in > paule/python276-wip > in poky-contrib). > > Cheers, > Paul >
I have applied this patch in master and have run some tests to verify that Sslv3 is really disabled. It seems that SSLv3 still is enabled. I am running more tests to find out why SSLv3 is not disabled and what more needs to be done. SSLv2 is disabled already, if we manage to disable SSLV3 then I guess we need to disable SSLv23 as well ??! root@p2020rdb:~# python >>> import ssl >>> print ssl.PROTOCOL_SSLv3 1 >>> print ssl.PROTOCOL_SSLv2 0 >>> print ssl.PROTOCOL_SSLv23 2 I think we should consider (start looking at upgrading to python 2.7.9 in master), to address this issue. I feel uncomfortable with this Debian patch. It seems that we need to do more manual changes in order to make this work. I will soon update the bug 7015 with my test results. While testing this issue a new vulnerability was released yesterday : Incorrect TLS padding may be accepted when terminating TLS 1.x CBC cipher connections. (CVE-2014-8730) https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls Cheers Sona -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
