Bug ID 901968
Summary serf / libserf supports insecure SSL protocol versions
Classification openSUSE
Product openSUSE 13.1
Version Final
Hardware Other
OS Other
Status CONFIRMED
Severity Normal
Priority P5 - None
Component Security
Assignee Andreas.Stieger@gmx.de
Reporter Andreas.Stieger@gmx.de
QA Contact qa-bugs@suse.de
CC security-team@suse.de
Found By ---
Blocker --- 

From https://serf.googlecode.com/svn/tags/1.3.8/CHANGES
> Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
> Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
> Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
> Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.

Patches for previous releases:

https://code.google.com/p/serf/source/detail?r=2313
> Disable the use of deprecated and broken SSL 2.0.
> 
> * buckets/ssl_buckets.c
>   (ssl_init_context): Disable SSLv2.

https://code.google.com/p/serf/source/detail?r=2433
> Disable SSLv3 support (POODLE).
> 
> * buckets/ssl_buckets.c
>   (ssl_init_context): Disable SSLv3, like already done for SSLv2.

Current versions:
openSUSE 12.3: serf 1.1.1 (to be patched as above on buckets/ssl_buckets.c
only)
openSUSE 13.1: serf 1.3.7 (straight update) 
openSUSE 13.2: serf 1.3.7 (straight update)

You are receiving this mail because: