Juju still vulnerable to CVE-2013-2566, CVE-2015-2808
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Critical
|
Nate Finch | ||
juju-core |
Fix Released
|
Critical
|
Nate Finch | ||
1.25 |
Fix Released
|
Critical
|
Nate Finch |
Bug Description
Originally reported by Bryan Quigley via github: https:/
Trusty uses go <1.5. Can we fix Poodle/RC4 issues on trusty as well?
Specifically ports 38017 and 37017 are vulnerable to both attack vectors. You can test with
https:/
Key outputs:
SSLv3 offered (NOT ok)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5
I was incorrect. RC4 issue does still affect Xenial, but SSLv3 is fixed there.
Changed in juju-core: | |
milestone: | 2.0-beta5 → 2.0-rc1 |
Changed in juju-core: | |
assignee: | Cheryl Jennings (cherylj) → nobody |
Changed in juju-core: | |
milestone: | 2.0-beta6 → 2.0-beta7 |
Changed in juju-core: | |
assignee: | nobody → Nate Finch (natefinch) |
Changed in juju-core: | |
status: | Triaged → Fix Committed |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
Changed in juju-core: | |
status: | Fix Released → Triaged |
status: | Triaged → Fix Released |
tags: | added: blocker |
affects: | juju-core → juju |
Changed in juju: | |
milestone: | 2.0-beta7 → none |
milestone: | none → 2.0-beta7 |
Changed in juju-core: | |
assignee: | nobody → Nate Finch (natefinch) |
importance: | Undecided → Critical |
status: | New → Fix Committed |
tags: | removed: blocker |
information type: | Private Security → Public Security |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
We have just switched to using go 1.6 everywhere, so the next 1.25 release will be built entirely with 1.6. 2.0-beta4 was released with all tools built with go 1.6.
From the issue reported in GH, it sounds like the only outstanding issue we'll have is the RC4 CVEs listed.
Adding security folks for guidance.