Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 26 Dec 2015 14:02:26 +0000
From: Sevan Janiyan <venture37@...klan.co.uk>
To: oss-security@...ts.openwall.com
Subject: Re: Being vulnerable to POODLE



On 26/12/2015 11:05, Gsunde Orangen wrote:
> Nope, it is not a vulnerability specific to OpenSSL, but a design
> weakness in the SSLv3 protocol - so all implementations of SSLv3 are
> affected. I would use the same CVE-2014-3566 for all software that still
> uses SSLv3.
> This is different to "POODLE TLS", where some implementations (but not
> OpenSSL) contained a similar vulnerability in their implementation of
> the TLS 1.0 protocol (although the TLS 1.0 standard itself does not have
> it). In this case different CVE IDs are suggested - see Mitre's
> statement at [1]
> "POODLE TLS" is references in multiple CVEs, see [2]
> 
> [1] http://seclists.org/oss-sec/2014/q4/1003
> [2] https://web.nvd.nist.gov/view/vuln/search-results?query=poodle%20tls

Ok, so in this case, changing the source code to set the context options
to exclude SSLv2 & v3 was all that was made. The code base is a consumer
of the OpenSSL API & relies on that to establish SSL, it does not
implement any crypto itself locally.



Sevan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ