[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
Fixed in lighttpd 1.4.29 release Jun 2011, over 9 years ago. https://redmine.lighttpd.net/issues/2246 ** Bug watch added: redmine.lighttpd.net/issues #2246 https://redmine.lighttpd.net/issues/2246 ** Changed in: lighttpd (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
Bug still exist. Need a backport. @gstrauss Adding :!SSLv2:!SSLv3 with the cipher-list ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SSLv2:!SSLv3" Will cause a "No Cipher can be used" error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
Solution: adjust ssl.cipher-list in lighttpd.conf See also https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/645002 Recommended reading: https://cipherli.st/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
** Changed in: lighttpd (Ubuntu) Importance: Undecided => Medium ** Tags added: precise ** Tags added: poodle -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
Not sure if helps against the Ubuntu patchset; but as a Debian Squeeze user I've backported the required code from 1.4.29 to get this config working for me :) https://github.com/matjohns/squeeze-lighttpd-poodle ~Mat -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
Hello ; we'll need the same kind of backporting to 10.04. This is a very unusual problem as it's the protocol and not the program that's flawed. I don't know if it's planned too, and if it need a separate ticket. Pleaase advice. Thanks :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3566 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1381910] Re: Workaround for CVE-2014-3566 (POODLE) required
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lighttpd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs