nginx default config has SSLv3 enabled, makes sites using default config options vulnerable to POODLE

Bug #1383379 reported by Thomas Ward
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Nginx
Fix Released
Medium
Thomas Ward
nginx (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Trusty
New
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned

Bug Description

The included `default` config file contains a commented-out section for SSL.

That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.

Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?

------

NGINX Project:
In the PPAs, this affects all versions of the package in both Stable and Mainline.

------

Ubuntu Project:

In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the package.

This change was already made/committed in Debian Unstable.

Tags: patch poodle
Thomas Ward (teward)
summary: - nginx default config has SSLv3 enabled, makes things vulnerable to
- POODLE
+ nginx default config has SSLv3 enabled, makes sites using default config
+ options vulnerable to POODLE
Changed in nginx:
status: New → Confirmed
description: updated
description: updated
Thomas Ward (teward)
description: updated
description: updated
Changed in nginx:
assignee: nobody → Thomas Ward (teward)
Robie Basak (racb)
tags: added: poodle
Revision history for this message
Thomas Ward (teward) wrote :

In discussion with mdeslaur on IRC, I'm attaching DebDiffs for Ubuntu in the off chance the release team wishes to push these changes.

A few extra details as to why this is extremely relevant to being pushed and updated: A lot of newbie users that we see in the NGINX IRC channel for support end up using the default configuration file(s) as a template/law for their sites, and we end up seeing them just uncomment the SSL portion and use it. That opens them up to the POODLE vulnerability.

Upstream, in Debian, this was revised per POODLE so newbies wouldn't be exposing themselves to vulnerability, hence the rationale for this perhaps being pushed/updated. Unfortunately, all versions of nginx (including Lucid, which is being ignored intentionally) are impacted by POODLE and SSLv3, so it's better to just remove the SSLv3 protocol from the ssl_protocols line, mainly to prevent newbies from making their systems open to attack.

Revision history for this message
Thomas Ward (teward) wrote :
Revision history for this message
Thomas Ward (teward) wrote :
Revision history for this message
Thomas Ward (teward) wrote :

NOTE: I didn't know where to target this for Utopic, so I just targeted it to 'utopic'. Please change that if it is not valid.

Changed in nginx:
status: Confirmed → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Precise Debdiff for Ubuntu" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Thomas Ward (teward) wrote :

(nginx project)
Updated packages uploaded to the staging PPA, pending building.

Changed in nginx:
status: In Progress → Fix Committed
Changed in nginx (Ubuntu Utopic):
status: New → Fix Released
Revision history for this message
Thomas Ward (teward) wrote :

Fixed in latest NGINX upload to the PPAs.

Changed in nginx:
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in nginx (Ubuntu Precise):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers