[ https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14199883#comment-14199883 ]
Vikas Mayur edited comment on OFBIZ-5848 at 11/6/14 6:29 AM: ------------------------------------------------------------- Two Questions on how we handle security vulnerabilities: 1. Should we also update the information on the news section on the site for such security/critical fixes? 2. Does it affect the regular release cycle in any manner or should we have a different release strategy for such bugs. The bug will be fixed with release 12.04.06 and 13.07.02 but that won't be happening in next 4-5 months. Pardon me if its already discussed but I don't find any information in the archives. was (Author: vikasmayur): Two Questions on security vulnerabilities: 1. Should we also update the information on the news section on the site for such security/critical fixes? 2. Does it affect the regular release cycle in any manner or should we have a different release strategy for such bugs. The bug will be fixed with release 12.04.06 and 13.07.02 but that won't be happening in next 4-5 months. Pardon me if its already discussed but I don't find any information in the archives. > Poodle-disable sslv3 > -------------------- > > Key: OFBIZ-5848 > URL: https://issues.apache.org/jira/browse/OFBIZ-5848 > Project: OFBiz > Issue Type: Bug > Affects Versions: Trunk > Environment: unix > Reporter: Poodle Fixer > Assignee: Jacques Le Roux > Priority: Critical > Labels: patch, security > Fix For: Upcoming Branch, 12.04.06, 13.07.02 > > > Hi there-- > This topic seemed relevant because it is a major security issue that recently > came up and will affect many ecommerce sites for ofbiz. > I am in process of trying to disable sslv3 on our version of of > ofbiz uses tomcat 6. > This is to eliminate the security vulnerability from poodle bleed. > http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed > We have tried updating the of ofbiz-containers.xml file like below, but it > did not disable sslv3. Poodle is still there. > I have also seen fixes that update server.xml with something similar. > <property name="sslProtocol" value="TLS"/> > <property name="sslEnabledProtocols" value="TLSv1"/> > Has anyone else had luck fixing the poodle issue on Apache ofbiz? > Or in any of biz products… where is the best place to fix this in of biz?? > Thanks! > The Poodle fixer :) -- This message was sent by Atlassian JIRA (v6.3.4#6332)