subject:"\[Touch\-packages\] \[Bug 1505328\] Re\: Cups SSL is vulernable to POODLE"

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-12-16 Thread Launchpad Bug Tracker

This bug was fixed in the package cups - 1.7.2-0ubuntu1.7

---
cups (1.7.2-0ubuntu1.7) trusty-security; urgency=medium

  * Disable SSLv3 with option to turn back on.
- debian/patches/disable-sslv3.patch: AllowSSL3 turns SSLv3
  back on and AllowRC4 turns on just the RC4 cypers. (LP: #1505328)

 -- Bryan Quigley   Tue, 10 Nov 2015
21:08:44 +

** Changed in: cups (Ubuntu Trusty)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  Fix Released
Status in cups source package in Trusty:
  Fix Released

Bug description:
  [Impact]

   * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by 
default.
   * Users who have clients that don't support TLS1.0 will not be able to 
connect, unless
   they specify the additional options in cupsd.conf.

  [Test Case]

   * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and 
SSLOptions None
     * This should show up as having RC4 and SSLv3 disabled via a test like 
ssllabs.
   * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

  [Regression Potential]

   * One assumption was this should only affect WinXP and even then only
  IE6 winxp users.  If incorrect more could be affected.

   * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
  some unknown corner case.  There's no evidence of this and other
  distros have deployed a very similar patch.

  [Other Info]

   * Only targetting 14.04 because of my assumption that if you're on
  12.04 you are more likely to have older clients connecting to it.

  Original description:

  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-12-11 Thread Marc Deslauriers

ACK on the updated debdiff, thanks!

I've changed my mind, and will release it as a security update after all
if testing goes well.

Thanks!

** Changed in: cups (Ubuntu Trusty)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
Fix Released
Status in cups source package in Trusty:
Triaged

Bug description:
[Impact]

* Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by
default.
* Users who have clients that don't support TLS1.0 will not be able to
connect, unless
they specify the additional options in cupsd.conf.

[Test Case]

* Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and
SSLOptions None
* This should show up as having RC4 and SSLv3 disabled via a test like
ssllabs.
* Same but specify SSLOptions to AllowSSL3 or AllowRC4.

[Regression Potential]

* One assumption was this should only affect WinXP and even then only
IE6 winxp users. If incorrect more could be affected.

* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case. There's no evidence of this and other
distros have deployed a very similar patch.

[Other Info]

* Only targetting 14.04 because of my assumption that if you're on
12.04 you are more likely to have older clients connecting to it.

Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
poodle, and there does not appear to be any way to mitigate it in Cups
config.

Ubuntu 14.04 -
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
Ubuntu 12.04 -
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

Fixed in wily -
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and
backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-12-08 Thread Marc Deslauriers

This part of the patch is wrong:

@@ -895,18 +922,6 @@ _cupsSetDefaults(void)
   * Look for ~/.cups/client.conf...
   */
 
-  snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
-  fp = cupsFileOpen(filename, "r");
-}
-else
-  fp = NULL;
-
-if (!fp)
-{
- /*
-  * Look for CUPS_SERVERROOT/client.conf...
-  */
-
   snprintf(filename, sizeof(filename), "%s/client.conf",
cg->cups_serverroot);
   fp = cupsFileOpen(filename, "r");


It is removing the section that reads ~/.cups/client.conf instead of removing 
the section that reads CUPS_SERVERROOT/client.conf that got moved higher up in 
the code.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  Fix Released
Status in cups source package in Trusty:
  Triaged

Bug description:
  [Impact]

   * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by 
default.
   * Users who have clients that don't support TLS1.0 will not be able to 
connect, unless
   they specify the additional options in cupsd.conf.

  [Test Case]

   * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and 
SSLOptions None
     * This should show up as having RC4 and SSLv3 disabled via a test like 
ssllabs.
   * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

  [Regression Potential]

   * One assumption was this should only affect WinXP and even then only
  IE6 winxp users.  If incorrect more could be affected.

   * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
  some unknown corner case.  There's no evidence of this and other
  distros have deployed a very similar patch.

  [Other Info]

   * Only targetting 14.04 because of my assumption that if you're on
  12.04 you are more likely to have older clients connecting to it.

  Original description:

  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-12-08 Thread Bryan Quigley

New debdiff with fix for C#15

** Patch added: "cups_1.7.2-0ubuntu1.7.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4531562/+files/cups_1.7.2-0ubuntu1.7.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  Fix Released
Status in cups source package in Trusty:
  Triaged

Bug description:
  [Impact]

   * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by 
default.
   * Users who have clients that don't support TLS1.0 will not be able to 
connect, unless
   they specify the additional options in cupsd.conf.

  [Test Case]

   * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and 
SSLOptions None
     * This should show up as having RC4 and SSLv3 disabled via a test like 
ssllabs.
   * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

  [Regression Potential]

   * One assumption was this should only affect WinXP and even then only
  IE6 winxp users.  If incorrect more could be affected.

   * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
  some unknown corner case.  There's no evidence of this and other
  distros have deployed a very similar patch.

  [Other Info]

   * Only targetting 14.04 because of my assumption that if you're on
  12.04 you are more likely to have older clients connecting to it.

  Original description:

  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-17 Thread Bryan Quigley

** Patch removed: "now  current debdiff (fixes accidentally included file)"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511465/+files/cups_1.7.2-0ubuntu1.7.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-17 Thread Brian Murray

** Also affects: cups (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: cups (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: cups (Ubuntu Trusty)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New
Status in cups source package in Trusty:
  Triaged

Bug description:
  [Impact]

   * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by 
default.
   * Users who have clients that don't support TLS1.0 will not be able to 
connect, unless
   they specify the additional options in cupsd.conf.

  [Test Case]

   * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and 
SSLOptions None
     * This should show up as having RC4 and SSLv3 disabled via a test like 
ssllabs.
   * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

  [Regression Potential]

   * One assumption was this should only affect WinXP and even then only
  IE6 winxp users.  If incorrect more could be affected.

   * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
  some unknown corner case.  There's no evidence of this and other
  distros have deployed a very similar patch.

  [Other Info]

   * Only targetting 14.04 because of my assumption that if you're on
  12.04 you are more likely to have older clients connecting to it.

  Original description:

  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-17 Thread Bryan Quigley

Forgot to mark it fixed in devel (since wily at least)

** Changed in: cups (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  Fix Released
Status in cups source package in Trusty:
  Triaged

Bug description:
  [Impact]

   * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by 
default.
   * Users who have clients that don't support TLS1.0 will not be able to 
connect, unless
   they specify the additional options in cupsd.conf.

  [Test Case]

   * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and 
SSLOptions None
     * This should show up as having RC4 and SSLv3 disabled via a test like 
ssllabs.
   * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

  [Regression Potential]

   * One assumption was this should only affect WinXP and even then only
  IE6 winxp users.  If incorrect more could be affected.

   * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
  some unknown corner case.  There's no evidence of this and other
  distros have deployed a very similar patch.

  [Other Info]

   * Only targetting 14.04 because of my assumption that if you're on
  12.04 you are more likely to have older clients connecting to it.

  Original description:

  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-17 Thread Bryan Quigley

** Description changed:

+ [Impact]
+
+ * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by
default.
+ * Users who have clients that don't support TLS1.0 will not be able to
connect, unless
+ they specify the additional options in cupsd.conf.
+
+ [Test Case]
+
+ * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and
SSLOptions None
+* This should show up as having RC4 and SSLv3 disabled via a test like
ssllabs.
+ * Same but specify SSLOptions to AllowSSL3 or AllowRC4.
+
+ [Regression Potential]
+
+ * One assumption was this should only affect WinXP and even then only
+ IE6 winxp users. If incorrect more could be affected.
+
+ * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
+ some unknown corner case. There's no evidence of this and other distros
+ have deployed a very similar patch.
+
+ [Other Info]
+
+ * Only targetting 14.04 because of my assumption that if you're on 12.04 you
are more likely to have older clients connecting to it.
+
+
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle,
and there does not appear to be any way to mitigate it in Cups config.

Fixed in wily -
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and backport
the option to turn it back on?

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
New

Bug description:
[Impact]

[Test Case]

[Regression Potential]

* One assumption was this should only affect WinXP and even then only
IE6 winxp users. If incorrect more could be affected.

* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case. There's no evidence of this and other
distros have deployed a very similar patch.

[Other Info]

* Only targetting 14.04 because of my assumption that if you're on
12.04 you are more likely to have older clients connecting to it.

Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
poodle, and there does not appear to be any way to mitigate it in Cups
config.

Fixed in wily -
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and
backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-17 Thread Mathew Hodson

** Bug watch removed: Red Hat Bugzilla #1161171
https://bugzilla.redhat.com/show_bug.cgi?id=1161171

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
New

Bug description:
[Impact]

[Test Case]

[Regression Potential]

* One assumption was this should only affect WinXP and even then only
IE6 winxp users. If incorrect more could be affected.

* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case. There's no evidence of this and other
distros have deployed a very similar patch.

[Other Info]

* Only targetting 14.04 because of my assumption that if you're on
12.04 you are more likely to have older clients connecting to it.

Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
poodle, and there does not appear to be any way to mitigate it in Cups
config.

Fixed in wily -
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and
backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-17 Thread Bryan Quigley

** Description changed:

[Impact]

- * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by
default.
- * Users who have clients that don't support TLS1.0 will not be able to
connect, unless
- they specify the additional options in cupsd.conf.
+ * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by
default.
+ * Users who have clients that don't support TLS1.0 will not be able to
connect, unless
+ they specify the additional options in cupsd.conf.

[Test Case]

- * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and
SSLOptions None
-* This should show up as having RC4 and SSLv3 disabled via a test like
ssllabs.
- * Same but specify SSLOptions to AllowSSL3 or AllowRC4.
+ * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and
SSLOptions None
+ * This should show up as having RC4 and SSLv3 disabled via a test like
ssllabs.
+ * Same but specify SSLOptions to AllowSSL3 or AllowRC4.

[Regression Potential]

- * One assumption was this should only affect WinXP and even then only
+ * One assumption was this should only affect WinXP and even then only
IE6 winxp users. If incorrect more could be affected.

- * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
+ * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case. There's no evidence of this and other distros
have deployed a very similar patch.

[Other Info]
-
- * Only targetting 14.04 because of my assumption that if you're on 12.04 you
are more likely to have older clients connecting to it.

+ * Only targetting 14.04 because of my assumption that if you're on
+ 12.04 you are more likely to have older clients connecting to it.
+
+ Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle,
and there does not appear to be any way to mitigate it in Cups config.

Fixed in wily -
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and backport
the option to turn it back on?

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
New

Bug description:
[Impact]

[Test Case]

[Regression Potential]

* One assumption was this should only affect WinXP and even then only
IE6 winxp users. If incorrect more could be affected.

* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in
some unknown corner case. There's no evidence of this and other
distros have deployed a very similar patch.

[Other Info]

* Only targetting 14.04 because of my assumption that if you're on
12.04 you are more likely to have older clients connecting to it.

Original description:

On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
poodle, and there does not appear to be any way to mitigate it in Cups
config.

Fixed in wily -
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
Upstream fix - https://www.cups.org/str.php?L4476

Should we disable ssvl3 in the 12.04/14.04 cups by default and
backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-12 Thread Bryan Quigley

Really fixed extra file, added LP #, and removed "Upgrade to SSLv3"
part.

** Patch added: "cups_1.7.2-0ubuntu1.7.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4517582/+files/cups_1.7.2-0ubuntu1.7.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-10 Thread Marc Deslauriers

1- The debdiff in comment #9 still contains an extra 
cups-1.7.2/lets_patch_this.patch section. Could you please remove it?
2- Please add an origin tag to the patch that traces back to redhat's 1161172 
bug, since I believe that's what you based the backport on

3- Also, I don't think we should do this change:


@@ -4811,7 +4813,10 @@
   if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls)
   {
 httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
-httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
+if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+  httpSetField(http, HTTP_FIELD_UPGRADE, 
"TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0");
+else
+  httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
   }
 #endif /* HAVE_SSL */
 
@@ -5572,7 +5590,10 @@
 
   httpClearFields(http);
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
-  httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
+  if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0");
+  else
+httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0");
 
   if ((ret = httpOptions(http, "*")) == 0)
   {

It doesn't make sense to "upgrade" to sslv3.

So, looking at the patch, I believe this should be an SRU, and not a
security update.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-10 Thread Marc Deslauriers

Also, please add "(LP: #1505328)" to the debian/changelog.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-08 Thread Mathew Hodson

** Tags added: precise trusty

** Changed in: cups (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-02 Thread Bryan Quigley

Related issue for 14.04 -
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-02 Thread Bryan Quigley

** Patch added: "now  current debdiff (fixes accidentally included file)"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511465/+files/cups_1.7.2-0ubuntu1.7.debdiff

** Patch removed: "debdiff for 14.04"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511335/+files/cups_1.7.2-0ubuntu1.7.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-02 Thread Ubuntu Foundations Team Bug Bot

The attachment "now  current debdiff (fixes accidentally included file)"
seems to be a debdiff.  The ubuntu-sponsors team has been subscribed to
the bug report so that they can review and hopefully sponsor the
debdiff.  If the attachment isn't a patch, please remove the "patch"
flag from the attachment, remove the "patch" tag, and if you are member
of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-11-02 Thread Bryan Quigley

I'm thinking it makes sense to do this as a normal (not security update)
as it changes the default config.

For 12.04, I haven't seen any demand to backport this.

** Patch added: "debdiff for 14.04"
   
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511335/+files/cups_1.7.2-0ubuntu1.7.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-29 Thread Bryan Quigley

Made it into a more proper ppa for 14.04 -
https://launchpad.net/~bryanquigley/+archive/ubuntu/ppa

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-26 Thread Bryan Quigley

Test fix for 14.04 is available here -
http://people.canonical.com/~bryanquigley/cups-1505328

Does anyone need this fix for 12.04?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-23 Thread Bryan Quigley

Patch in progress for 14.04 http://pastebin.ubuntu.com/12904343/  for
some reason fails to fix Poodle on TLS issue.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-23 Thread Bryan Quigley

None of these issues exist in vivid, cups version 2.0.2-1ubuntu3.2.  No
RC4, No SSLv3, No Poodle on TLS.  Would have an A- rating (if it was a
valid domain/cert).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-23 Thread Bryan Quigley

Interesting - 14.10 has SSLv3, RC4 issues, but Poodle on TLS is not there 
(overall grade C).  Cups 1.7.5-3ubuntu3.2, libgnutls-deb0-28
vs 14.04 - cups 1.7.2-0ubuntu1.6,  libgnutls26

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-20 Thread Bryan Quigley

What RH did:
https://rhn.redhat.com/errata/RHBA-2015-1346.html
https://bugzilla.redhat.com/show_bug.cgi?id=1161171
https://bugzilla.redhat.com/show_bug.cgi?id=1161172

Upstream patch - http://pastebin.ubuntu.com/12879503/

** Bug watch added: Red Hat Bugzilla #1161171
   https://bugzilla.redhat.com/show_bug.cgi?id=1161171

** Bug watch added: Red Hat Bugzilla #1161172
   https://bugzilla.redhat.com/show_bug.cgi?id=1161172

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-13 Thread Seth Arnold

** Tags added: poodle

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

2015-10-12 Thread Thomas Ward

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1505328

Title:
  Cups SSL is vulernable to POODLE

Status in cups package in Ubuntu:
  New

Bug description:
  On 12.04 and 14.04 if you enable cups ssl you are vulnerable to
  poodle, and there does not appear to be any way to mitigate it in Cups
  config.

  Ubuntu 14.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on
  Ubuntu 12.04 - 
https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on

  Fixed in wily - 
https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on
  Upstream fix - https://www.cups.org/str.php?L4476

  Should we disable ssvl3 in the 12.04/14.04 cups by default and
  backport the option to turn it back on?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE

26 matches

Site Navigation

Mail list logo

Footer information