2014-10-20 16:44:57 |
Thomas Ward |
bug |
|
|
added bug |
2014-10-20 16:49:36 |
Thomas Ward |
summary |
nginx default config has SSLv3 enabled, makes things vulnerable to POODLE |
nginx default config has SSLv3 enabled, makes sites using default config options vulnerable to POODLE |
|
2014-10-20 16:53:34 |
Thomas Ward |
nginx: status |
New |
Confirmed |
|
2014-10-20 16:54:18 |
Thomas Ward |
description |
By default, the shipped `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore? |
By default, the shipped `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package. |
|
2014-10-20 16:54:31 |
Thomas Ward |
description |
By default, the shipped `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package. |
The included `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package. |
|
2014-10-20 17:00:56 |
Thomas Ward |
description |
The included `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package. |
The included `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package.
This change was already made in Debian Unstable. |
|
2014-10-20 17:01:52 |
Thomas Ward |
description |
The included `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package.
This change was already made in Debian Unstable. |
The included `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?
------
NGINX Project:
In the PPAs, this affects all versions of the package in both Stable and Mainline.
------
Ubuntu Project:
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package.
This change was already made/committed in Debian Unstable. |
|
2014-10-20 17:02:00 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu) |
|
2014-10-20 17:02:15 |
Thomas Ward |
nginx: assignee |
|
Thomas Ward (teward) |
|
2014-10-20 17:04:02 |
Thomas Ward |
nominated for series |
|
Ubuntu Utopic |
|
2014-10-20 17:04:02 |
Thomas Ward |
nominated for series |
|
Ubuntu Precise |
|
2014-10-20 17:04:02 |
Thomas Ward |
nominated for series |
|
Ubuntu Trusty |
|
2014-10-21 13:41:13 |
Robie Basak |
tags |
|
poodle |
|
2014-10-22 16:19:26 |
Thomas Ward |
attachment added |
|
Precise Debdiff for Ubuntu https://bugs.launchpad.net/nginx/+bug/1383379/+attachment/4241830/+files/nginx_sslv3_remove_debdiff_precise.debdiff |
|
2014-10-22 16:19:58 |
Thomas Ward |
attachment added |
|
Trusty Debdiff for Ubuntu https://bugs.launchpad.net/nginx/+bug/1383379/+attachment/4241832/+files/nginx_sslv3_remove_debdiff_trusty.debdiff |
|
2014-10-22 16:20:50 |
Thomas Ward |
attachment added |
|
Utopic Debdiff for Ubuntu https://bugs.launchpad.net/nginx/+bug/1383379/+attachment/4241835/+files/nginx_sslv3_remove_debdiff_utopic.debdiff |
|
2014-10-22 16:21:01 |
Thomas Ward |
nginx: status |
Confirmed |
In Progress |
|
2014-10-22 16:25:44 |
Ubuntu Foundations Team Bug Bot |
tags |
poodle |
patch poodle |
|
2014-10-22 16:25:53 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2014-10-22 17:06:03 |
Thomas Ward |
nginx: status |
In Progress |
Fix Committed |
|
2014-10-22 17:58:35 |
Marc Deslauriers |
bug task added |
|
nginx (Ubuntu Precise) |
|
2014-10-22 17:58:41 |
Marc Deslauriers |
bug task added |
|
nginx (Ubuntu Trusty) |
|
2014-10-22 17:58:47 |
Marc Deslauriers |
bug task added |
|
nginx (Ubuntu Utopic) |
|
2014-10-22 17:58:55 |
Marc Deslauriers |
nginx (Ubuntu Utopic): status |
New |
Fix Released |
|
2014-10-24 14:24:17 |
Thomas Ward |
nginx: status |
Fix Committed |
Fix Released |
|
2014-10-29 11:56:36 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
2021-10-14 16:07:00 |
Steve Langasek |
nginx (Ubuntu Precise): status |
New |
Won't Fix |
|