Date: Sat, 26 Dec 2015 12:05:37 +0100 From: Gsunde Orangen <gsunde.orangen@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Being vulnerable to POODLE On 26.12.2015, 11:41 gremlin@...mlin.ru wrote: > On 2015-12-26 07:28:52 +0000, Sevan Janiyan wrote: > > > Hi, If you have a piece of software which is vulnerable to POODLE, > > should a CVE be requested for it or should CVE-2014-3566 just be > > referenced in any advisories published? > > The POODLE is an OpenSSL vulnerability, so referencing CVE-2014-3566 > should be enough. Nope, it is not a vulnerability specific to OpenSSL, but a design weakness in the SSLv3 protocol - so all implementations of SSLv3 are affected. I would use the same CVE-2014-3566 for all software that still uses SSLv3. This is different to "POODLE TLS", where some implementations (but not OpenSSL) contained a similar vulnerability in their implementation of the TLS 1.0 protocol (although the TLS 1.0 standard itself does not have it). In this case different CVE IDs are suggested - see Mitre's statement at  "POODLE TLS" is references in multiple CVEs, see   http://seclists.org/oss-sec/2014/q4/1003  https://web.nvd.nist.gov/view/vuln/search-results?query=poodle%20tls > > > It turns out that CoovaChilli is vulnerable to POODLE & I'd > > like to follow the correct procedure regarding disclosure. There's > > a fix pending due to needing further testing at which point an > > advisory will be published with the necessary details. > > Does the update of OpenSSL eliminate this vulnerability? No - see above... Gsunde
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ