Bug#767456: disable SSLv3 by default

2014-11-22 Thread Thijs Kinkhorst
Hi, Could you please make an upload with only this change to sid? Then we can ask the release team to unblock it for jessie. It's still tagged pending. Do you need help to get this change uploaded? Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a

Bug#767456: disable SSLv3 by default

2014-11-22 Thread Christos Trochalakis
Hello Thijs, On Sat, Nov 22, 2014 at 05:36:46PM +0100, Thijs Kinkhorst wrote: Hi, Could you please make an upload with only this change to sid? Then we can ask the release team to unblock it for jessie. It's still tagged pending. Do you need help to get this change uploaded? I was realy

Bug#767456: disable SSLv3 by default

2014-11-02 Thread Christos Trochalakis
Hello Thisjs, On Fri, Oct 31, 2014 at 08:37:51AM +0100, Thijs Kinkhorst wrote: Package: nginx Version: 1.6.2-2 Severity: important Hi, Please disable the legacy SSLv3 protocol by default for installations of nginx. It doesn't need to be disabled completely per se, but should not be available

Bug#767456: disable SSLv3 by default

2014-11-02 Thread Thijs Kinkhorst
On Sun, November 2, 2014 08:32, Christos Trochalakis wrote: I have prepared a patch and I plan to merge it in a few days. SSLv3 is disabled in the http {} scope so it affects all vhosts that not expicitly override it. http://anonscm.debian.org/cgit/collab-maint/nginx.git/commit/?h=no-sslv3

Bug#767456: disable SSLv3 by default

2014-11-01 Thread Thomas Ward (Dark-Net)
Okay, so after poking #debian-security on OFTC, Thijs said the following: (Or at least I believe it's Thijs): [2014/11/01 11:25:15] thijs_ teward: I think the ideal package does not have SSLv3 included in its default settings. With Apache in Debian is quite the case because

Bug#767456: disable SSLv3 by default

2014-10-31 Thread Thijs Kinkhorst
Package: nginx Version: 1.6.2-2 Severity: important Hi, Please disable the legacy SSLv3 protocol by default for installations of nginx. It doesn't need to be disabled completely per se, but should not be available on a default installation. This helps to defend against the recent POODLE attack

Bug#767456: disable SSLv3 by default

2014-10-31 Thread Thomas Ward
I thought this was already done? I checked the packaging myself and this change was already in there, or at least in git. (the default ssl stanza in the config has SSLv3 dropped from the ciphers list in the git tree for the Debian package already, I checked the commit logs myself) --

Bug#767456: disable SSLv3 by default

2014-10-31 Thread Thomas Ward (Dark-Net)
fixed 1.6.2-3 thanks Confirmed: This was done already. The commit this was done in was this one: http://anonscm.debian.org/cgit/collab-maint/nginx.git/commit/?id=9a4e0f0a698bee2b03b7f417ad9286e5eb22141e 1.6.2-3, which had this fix already, was uploaded and accepted to Unstable on 2014-10-16,

Bug#767456: disable SSLv3 by default

2014-10-31 Thread Thijs Kinkhorst
Hi Thomas, On Fri, October 31, 2014 12:48, Thomas Ward (Dark-Net) wrote: fixed 1.6.2-3 thanks Confirmed: This was done already. The commit this was done in was this one: http://anonscm.debian.org/cgit/collab-maint/nginx.git/commit/?id=9a4e0f0a698bee2b03b7f417ad9286e5eb22141e Thanks.

Bug#767456: disable SSLv3 by default

2014-10-31 Thread Michael Lustfield
Yup, that's correct. http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols SSLv3 is /currently/ enabled by default. On Fri, Oct 31, 2014 at 9:37 AM, Thijs Kinkhorst th...@debian.org wrote: Hi Thomas, On Fri, October 31, 2014 12:48, Thomas Ward (Dark-Net) wrote: fixed 1.6.2-3