*** This bug is a security vulnerability *** Public security bug reported:
This is a report on the state of the ZNC package in Ubuntu. Currently, the ZNC package is vulnerable to CVE-2014-3566 and the POODLE vulnerability. It does not disable SSLv3 and does not permit an individual to change what is or is not enabled in SSL protocols. An upstream ZNC issue was opened on this issue, requesting that the insecure SSLv2 and SSLv3 are disabled, as well as a request to be able to specify the SSL Ciphers to be used. That issue is at https://github.com/znc/znc/issues/621. https://github.com/jpnurmi/znc/commit/954f22ccc0ee8a77ed96756e154993dc9e8402af is the relevant code commit which fixes the SSLv3 support issue and disables SSLv2 and SSlv3. The related CVE is the OpenSSL POODLE vulnerability - CVE-2014-3566. All versions of the ZNC software are affected at this time. ** Affects: znc (Ubuntu) Importance: Undecided Status: Confirmed ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3566 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1389264 Title: ZNC SSL listeners are vulnerable to POODLE. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/znc/+bug/1389264/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
