Bug ID | 901968 |
---|---|
Summary | serf / libserf supports insecure SSL protocol versions |
Classification | openSUSE |
Product | openSUSE 13.1 |
Version | Final |
Hardware | Other |
OS | Other |
Status | CONFIRMED |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | Andreas.Stieger@gmx.de |
Reporter | Andreas.Stieger@gmx.de |
QA Contact | qa-bugs@suse.de |
CC | security-team@suse.de |
Found By | --- |
Blocker | --- |
From https://serf.googlecode.com/svn/tags/1.3.8/CHANGES > Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx] > Fix issue #152: CRC calculation error for gzipped http reponses > 4GB. > Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed. > Fix issue #154: Disable SSLv2 and SSLv3 as both or broken. Patches for previous releases: https://code.google.com/p/serf/source/detail?r=2313 > Disable the use of deprecated and broken SSL 2.0. > > * buckets/ssl_buckets.c > (ssl_init_context): Disable SSLv2. https://code.google.com/p/serf/source/detail?r=2433 > Disable SSLv3 support (POODLE). > > * buckets/ssl_buckets.c > (ssl_init_context): Disable SSLv3, like already done for SSLv2. Current versions: openSUSE 12.3: serf 1.1.1 (to be patched as above on buckets/ssl_buckets.c only) openSUSE 13.1: serf 1.3.7 (straight update) openSUSE 13.2: serf 1.3.7 (straight update)