[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
This bug was fixed in the package cups - 1.7.2-0ubuntu1.7 --- cups (1.7.2-0ubuntu1.7) trusty-security; urgency=medium * Disable SSLv3 with option to turn back on. - debian/patches/disable-sslv3.patch: AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just the RC4 cypers. (LP: #1505328) -- Bryan QuigleyTue, 10 Nov 2015 21:08:44 + ** Changed in: cups (Ubuntu Trusty) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: Fix Released Status in cups source package in Trusty: Fix Released Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
ACK on the updated debdiff, thanks! I've changed my mind, and will release it as a security update after all if testing goes well. Thanks! ** Changed in: cups (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: Fix Released Status in cups source package in Trusty: Triaged Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
This part of the patch is wrong: @@ -895,18 +922,6 @@ _cupsSetDefaults(void) * Look for ~/.cups/client.conf... */ - snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home); - fp = cupsFileOpen(filename, "r"); -} -else - fp = NULL; - -if (!fp) -{ - /* - * Look for CUPS_SERVERROOT/client.conf... - */ - snprintf(filename, sizeof(filename), "%s/client.conf", cg->cups_serverroot); fp = cupsFileOpen(filename, "r"); It is removing the section that reads ~/.cups/client.conf instead of removing the section that reads CUPS_SERVERROOT/client.conf that got moved higher up in the code. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: Fix Released Status in cups source package in Trusty: Triaged Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
New debdiff with fix for C#15 ** Patch added: "cups_1.7.2-0ubuntu1.7.debdiff" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4531562/+files/cups_1.7.2-0ubuntu1.7.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: Fix Released Status in cups source package in Trusty: Triaged Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Patch removed: "now current debdiff (fixes accidentally included file)" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511465/+files/cups_1.7.2-0ubuntu1.7.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Also affects: cups (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: cups (Ubuntu Trusty) Importance: Undecided => High ** Changed in: cups (Ubuntu Trusty) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Status in cups source package in Trusty: Triaged Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Forgot to mark it fixed in devel (since wily at least) ** Changed in: cups (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: Fix Released Status in cups source package in Trusty: Triaged Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Description changed: + [Impact] + + * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. + * Users who have clients that don't support TLS1.0 will not be able to connect, unless + they specify the additional options in cupsd.conf. + + [Test Case] + + * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None +* This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. + * Same but specify SSLOptions to AllowSSL3 or AllowRC4. + + [Regression Potential] + + * One assumption was this should only affect WinXP and even then only + IE6 winxp users. If incorrect more could be affected. + + * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in + some unknown corner case. There's no evidence of this and other distros + have deployed a very similar patch. + + [Other Info] + + * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. + + On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Bug watch removed: Red Hat Bugzilla #1161171 https://bugzilla.redhat.com/show_bug.cgi?id=1161171 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Description changed: [Impact] - * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. - * Users who have clients that don't support TLS1.0 will not be able to connect, unless - they specify the additional options in cupsd.conf. + * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. + * Users who have clients that don't support TLS1.0 will not be able to connect, unless + they specify the additional options in cupsd.conf. [Test Case] - * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None -* This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. - * Same but specify SSLOptions to AllowSSL3 or AllowRC4. + * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None + * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. + * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] - * One assumption was this should only affect WinXP and even then only + * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. - * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in + * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] - - * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. + * Only targetting 14.04 because of my assumption that if you're on + 12.04 you are more likely to have older clients connecting to it. + + Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Really fixed extra file, added LP #, and removed "Upgrade to SSLv3" part. ** Patch added: "cups_1.7.2-0ubuntu1.7.debdiff" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4517582/+files/cups_1.7.2-0ubuntu1.7.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
1- The debdiff in comment #9 still contains an extra cups-1.7.2/lets_patch_this.patch section. Could you please remove it? 2- Please add an origin tag to the patch that traces back to redhat's 1161172 bug, since I believe that's what you based the backport on 3- Also, I don't think we should do this change: @@ -4811,7 +4813,10 @@ if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls) { httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade"); -httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0"); +if (tls_options & _HTTP_TLS_ALLOW_SSL3) + httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0"); +else + httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0"); } #endif /* HAVE_SSL */ @@ -5572,7 +5590,10 @@ httpClearFields(http); httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade"); - httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0"); + if (tls_options & _HTTP_TLS_ALLOW_SSL3) +httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0,SSL/3.0"); + else +httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2,TLS/1.1,TLS/1.0"); if ((ret = httpOptions(http, "*")) == 0) { It doesn't make sense to "upgrade" to sslv3. So, looking at the patch, I believe this should be an SRU, and not a security update. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Also, please add "(LP: #1505328)" to the debian/changelog. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Tags added: precise trusty ** Changed in: cups (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Related issue for 14.04 - https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Patch added: "now current debdiff (fixes accidentally included file)" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511465/+files/cups_1.7.2-0ubuntu1.7.debdiff ** Patch removed: "debdiff for 14.04" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511335/+files/cups_1.7.2-0ubuntu1.7.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
The attachment "now current debdiff (fixes accidentally included file)" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
I'm thinking it makes sense to do this as a normal (not security update) as it changes the default config. For 12.04, I haven't seen any demand to backport this. ** Patch added: "debdiff for 14.04" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511335/+files/cups_1.7.2-0ubuntu1.7.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Made it into a more proper ppa for 14.04 - https://launchpad.net/~bryanquigley/+archive/ubuntu/ppa -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Test fix for 14.04 is available here - http://people.canonical.com/~bryanquigley/cups-1505328 Does anyone need this fix for 12.04? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Patch in progress for 14.04 http://pastebin.ubuntu.com/12904343/ for some reason fails to fix Poodle on TLS issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
None of these issues exist in vivid, cups version 2.0.2-1ubuntu3.2. No RC4, No SSLv3, No Poodle on TLS. Would have an A- rating (if it was a valid domain/cert). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
Interesting - 14.10 has SSLv3, RC4 issues, but Poodle on TLS is not there (overall grade C). Cups 1.7.5-3ubuntu3.2, libgnutls-deb0-28 vs 14.04 - cups 1.7.2-0ubuntu1.6, libgnutls26 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
What RH did: https://rhn.redhat.com/errata/RHBA-2015-1346.html https://bugzilla.redhat.com/show_bug.cgi?id=1161171 https://bugzilla.redhat.com/show_bug.cgi?id=1161172 Upstream patch - http://pastebin.ubuntu.com/12879503/ ** Bug watch added: Red Hat Bugzilla #1161171 https://bugzilla.redhat.com/show_bug.cgi?id=1161171 ** Bug watch added: Red Hat Bugzilla #1161172 https://bugzilla.redhat.com/show_bug.cgi?id=1161172 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** Tags added: poodle -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505328] Re: Cups SSL is vulernable to POODLE
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3566 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp