Further changes and updates. Upstream ZNC has accepted commits to
accept SSL protocol configuration to select the protocols you want to
support. https://github.com/znc/znc/pull/728/files
This was facilitated by commits to the CSocket program/library that ZNC
uses and includes with itself.
The commit contains four git commits:
(1) Update CSocket.
(2) Fix the non-SSL builds
(3) Disable SSL Compression (to mitigate CRIME vulnerability)
(4) Add a configuration option to define SSL protocols that are supported.
I discussed this with mdeslaur. Adding the configuration option to define SSL
protocols may be more feasible to include than to outright disable the SSL
protocol for SSLv3 on its own. This would also potentially apply as a valid
SRU to older releases, thereby making this security issue a null point. To the
end that this could be a possible SRU, I'm marking everything as "Confirmed"
rather than "Won't Fix", pending a discussion with the SRU team ahead of
uploading debdiffs.
** Changed in: znc (Ubuntu Precise)
Status: Won't Fix => Confirmed
** Changed in: znc (Ubuntu Trusty)
Status: Won't Fix => Confirmed
** Changed in: znc (Ubuntu Utopic)
Status: Won't Fix => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1389264
Title:
ZNC SSL listeners are vulnerable to POODLE.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/znc/+bug/1389264/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
