*** This bug is a security vulnerability *** Public security bug reported:
In order to close the recently disclosed security vulnerability in SSLv3 (CVE-2014-3566 a.k.a. POODLE), one needs to disable SSLv3 support. According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL, lighttpd gained support for doing so (config option "ssl.use-sslv3") in version 1.4.29. Because Ubuntu 12.04.5 LTS ships lighttpd 1.4.28, disabling SSLv3 seems impossible. Attempting to use the "ssl.use-sslv3" setting results in the following error message being logged: (server.c.961) WARNING: unknown config-key: ssl.use-sslv3 (ignored) I suppose that the logical way to deal with this is to either backport the "ssl.use-sslv3" functionality to the 1.4.28 version shipped by Ubuntu 12.04.5 LTS, or to upgrade the shipped package to 1.4.29 or newer. Tore ** Affects: lighttpd (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381910 Title: Workaround for CVE-2014-3566 (POODLE) required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
