diff -Nru nginx-1.6.2/debian/changelog nginx-1.6.2/debian/changelog --- nginx-1.6.2/debian/changelog 2014-09-22 13:44:37.000000000 -0400 +++ nginx-1.6.2/debian/changelog 2014-10-22 09:44:12.000000000 -0400 @@ -1,3 +1,10 @@ +nginx (1.6.2-1ubuntu1.1) utopic; urgency=medium + + * debian/conf/sites-available/default: Remove SSLv3 from the ssl_protocols + line in the default config example, due to POODLE vulnerability. + + -- Thomas Ward Wed, 22 Oct 2014 09:43:35 -0400 + nginx (1.6.2-1ubuntu1) utopic; urgency=medium * Merge from Debian. Remaining changes: diff -Nru nginx-1.6.2/debian/conf/sites-available/default nginx-1.6.2/debian/conf/sites-available/default --- nginx-1.6.2/debian/conf/sites-available/default 2014-09-17 04:20:11.000000000 -0400 +++ nginx-1.6.2/debian/conf/sites-available/default 2014-10-22 09:43:32.000000000 -0400 @@ -102,7 +102,7 @@ # # ssl_session_timeout 5m; # -# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; +# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE # ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; # ssl_prefer_server_ciphers on; #