I have verified that apache2 2.4.12-2ubuntu2 (in Vivid and Wily) ships
with:
SSLProtocol all -SSLv3
I'm with Seth in that retrospectively updating existing 14.04
deployments risks breaking users. Even if we could update only fresh
installs of 14.04, that would be particularly confusing and break for
existing users who have a reproducible deployment as is current best
practice.
On the other hand, users still deploy 14.04 fresh today, and best
practice would be to configure new deployments with SSLv3 disabled.
Perhaps we should have a place where we can document this kind of thing?
The release notes in a point release perhaps? However there are no more
point releases for 14.04 scheduled. So I'll mark this Won't Fix for
Trusty, but welcome conversation on this issue.
** Also affects: apache2 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: apache2 (Ubuntu Trusty)
Status: New => Won't Fix
** Changed in: apache2 (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1509586
Title:
SSLv3 enabled in apache2 by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1509586/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
