|
On 10/15/2014 8:16 AM, Jan Tomasek
wrote:
is http://poodlebleed.com/ related to 389? I think it is, this is not implementation flaw in OpenSSL, this seems to be related to the SSLv3 design.From http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 : Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and other protocols with SSL support?The current attack vector as shown by the researchers works with controlling the plaintext sent to the server using _javascript_ being run on the victim's machine. This vector does not apply to non-HTTPS scenarios without using a browser. Also, normally an SSL client doesn't allow the session to be downgraded to SSLv3 (having TLSv1+ seen in the handshake capabilities), but browsers want to be very backward compatible and the do. The combination with controlling plaintext and the specific way a HTTP header is built up makes it exploitable. Conclusion: disable SSLv3
for HTTPS now, disable SSLv3 for other services in
your next service window.
|
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
