Vincent Lefevre: > > Why hasn't there been a security update of apache2 concerning SSLv3, > making users vulnerable to POODLE when they use a client supporting > SSLv3?
I think that is a difficult thing to do. We are talking about an unsafe
default configuration which may have been changed by the local admin.
Debian maintainers have to way to enforce this (short of disabling
compile-time parameters) and I don't think it would be a good idea to do
any of that.
If Debian stable suddenly stopped supporting SSLv3, many sites would
break for users with legacy software. I don't think Debian should
unilaterally decide to do that -- even if it puts users at risk.
But its an interesting corner case. You could also argue that new
installations should not get that vulnerable default config which would
mean the package would need to receive an update.
J.
--
Scientists know what they are talking about.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: Digital signature
