Wrapper doesn't include TLSCipherSuite
Bug #1381840 reported by
Jeff Veit
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pure-ftpd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Because the pure-ftpd-wrapper doesn't include TLSCipherSuite, when TLS is switched on, PureFTP may be vulnerable to the PoodleBleed SSLv3 fallback attack. The TLSCipherSuite flag allows the administrator to set a particular cipher list. By default, when it's not present, SSLv3 is included in the list of acceptable ciphers.
I suggest that TLSCipherSuite be added. Possibly it a default list of ciphers could be triggered with something like 'UbuntuDefault' as the value. This would trigger something that excluded SSLv3.
CVE References
information type: | Private Security → Public Security |
Changed in pure-ftpd (Ubuntu): | |
status: | New → Confirmed |
Changed in pure-ftpd (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: patch |
Changed in pure-ftpd (Ubuntu): | |
status: | Confirmed → Triaged |
To post a comment you must log in.
For those wanting a quick, dirty fix...
Add pure-ftpd- wrapper.
'TLSCipherSuite' => ['-J %s', \&parse_string],
to my %conf in /usr/sbin/
In /etc/pure-ftpd/conf create TLSCipherSuite with something like TLSv1.2: +TLSv1: !SSLv3: !SSLv2
HIGH:MEDIUM:
as the content.
Then restart Pure FTP.