Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 26 Dec 2015 14:02:26 +0000
From: Sevan Janiyan <>
Subject: Re: Being vulnerable to POODLE

On 26/12/2015 11:05, Gsunde Orangen wrote:
> Nope, it is not a vulnerability specific to OpenSSL, but a design
> weakness in the SSLv3 protocol - so all implementations of SSLv3 are
> affected. I would use the same CVE-2014-3566 for all software that still
> uses SSLv3.
> This is different to "POODLE TLS", where some implementations (but not
> OpenSSL) contained a similar vulnerability in their implementation of
> the TLS 1.0 protocol (although the TLS 1.0 standard itself does not have
> it). In this case different CVE IDs are suggested - see Mitre's
> statement at [1]
> "POODLE TLS" is references in multiple CVEs, see [2]
> [1]
> [2]

Ok, so in this case, changing the source code to set the context options
to exclude SSLv2 & v3 was all that was made. The code base is a consumer
of the OpenSSL API & relies on that to establish SSL, it does not
implement any crypto itself locally.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.