| 2015-10-12 18:08:02 |
Bryan Quigley |
bug |
|
|
added bug |
| 2015-10-12 18:08:12 |
Bryan Quigley |
information type |
Public |
Public Security |
|
| 2015-10-12 18:11:27 |
Thomas Ward |
cve linked |
|
2014-3566 |
|
| 2015-10-13 17:20:25 |
Seth Arnold |
tags |
|
poodle |
|
| 2015-10-20 20:39:53 |
Bryan Quigley |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1161171 |
|
| 2015-10-20 20:39:53 |
Bryan Quigley |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1161172 |
|
| 2015-11-02 16:23:41 |
Bryan Quigley |
attachment added |
|
debdiff for 14.04 https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511335/+files/cups_1.7.2-0ubuntu1.7.debdiff |
|
| 2015-11-02 16:24:03 |
Bryan Quigley |
nominated for series |
|
Ubuntu Trusty |
|
| 2015-11-02 19:38:59 |
Bryan Quigley |
attachment added |
|
now current debdiff (fixes accidentally included file) https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511465/+files/cups_1.7.2-0ubuntu1.7.debdiff |
|
| 2015-11-02 19:39:13 |
Bryan Quigley |
attachment removed |
debdiff for 14.04 https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511335/+files/cups_1.7.2-0ubuntu1.7.debdiff |
|
|
| 2015-11-02 20:19:55 |
Ubuntu Foundations Team Bug Bot |
tags |
poodle |
patch poodle |
|
| 2015-11-02 20:20:02 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2015-11-09 04:00:04 |
Mathew Hodson |
tags |
patch poodle |
patch poodle precise trusty |
|
| 2015-11-09 04:01:30 |
Mathew Hodson |
cups (Ubuntu): importance |
Undecided |
High |
|
| 2015-11-09 04:04:03 |
Mathew Hodson |
bug |
|
|
added subscriber Mathew Hodson |
| 2015-11-12 15:24:54 |
Bryan Quigley |
attachment added |
|
cups_1.7.2-0ubuntu1.7.debdiff https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4517582/+files/cups_1.7.2-0ubuntu1.7.debdiff |
|
| 2015-11-17 15:22:54 |
Bryan Quigley |
attachment removed |
now current debdiff (fixes accidentally included file) https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4511465/+files/cups_1.7.2-0ubuntu1.7.debdiff |
|
|
| 2015-11-17 20:59:23 |
Bryan Quigley |
description |
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config.
Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476
Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? |
[Impact]
* Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
* Users who have clients that don't support TLS1.0 will not be able to connect, unless
they specify the additional options in cupsd.conf.
[Test Case]
* Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
* This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
* Same but specify SSLOptions to AllowSSL3 or AllowRC4.
[Regression Potential]
* One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected.
* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch.
[Other Info]
* Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it.
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config.
Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476
Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? |
|
| 2015-11-17 21:04:35 |
Bryan Quigley |
description |
[Impact]
* Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
* Users who have clients that don't support TLS1.0 will not be able to connect, unless
they specify the additional options in cupsd.conf.
[Test Case]
* Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
* This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
* Same but specify SSLOptions to AllowSSL3 or AllowRC4.
[Regression Potential]
* One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected.
* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch.
[Other Info]
* Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it.
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config.
Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476
Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? |
[Impact]
* Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default.
* Users who have clients that don't support TLS1.0 will not be able to connect, unless
they specify the additional options in cupsd.conf.
[Test Case]
* Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None
* This should show up as having RC4 and SSLv3 disabled via a test like ssllabs.
* Same but specify SSLOptions to AllowSSL3 or AllowRC4.
[Regression Potential]
* One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected.
* The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch.
[Other Info]
* Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it.
Original description:
On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config.
Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
Upstream fix - https://www.cups.org/str.php?L4476
Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? |
|
| 2015-11-17 21:04:57 |
Bryan Quigley |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2015-11-17 21:08:42 |
Mathew Hodson |
bug watch removed |
https://bugzilla.redhat.com/show_bug.cgi?id=1161171 |
|
|
| 2015-11-17 23:20:07 |
Brian Murray |
bug task added |
|
cups (Ubuntu Trusty) |
|
| 2015-11-17 23:20:20 |
Brian Murray |
cups (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2015-11-17 23:20:22 |
Brian Murray |
cups (Ubuntu Trusty): status |
New |
Triaged |
|
| 2015-11-17 23:43:10 |
Bryan Quigley |
cups (Ubuntu): status |
New |
Fix Released |
|
| 2015-11-18 00:04:24 |
Mathew Hodson |
removed subscriber Mathew Hodson |
|
|
|
| 2015-12-08 18:48:49 |
Bryan Quigley |
attachment added |
|
cups_1.7.2-0ubuntu1.7.debdiff https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+attachment/4531562/+files/cups_1.7.2-0ubuntu1.7.debdiff |
|
| 2015-12-11 18:43:22 |
Marc Deslauriers |
cups (Ubuntu Trusty): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2015-12-16 17:26:57 |
Launchpad Janitor |
cups (Ubuntu Trusty): status |
Triaged |
Fix Released |
|
| 2015-12-16 17:36:01 |
Marc Deslauriers |
summary |
Cups SSL is vulernable to POODLE |
Cups SSL is vulnerable to POODLE |
|
