http://bugzilla.opensuse.org/show_bug.cgi?id=901968 Bug ID: 901968 Summary: serf / libserf supports insecure SSL protocol versions Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: Other OS: Other Status: CONFIRMED Severity: Normal Priority: P5 - None Component: Security Assignee: Andreas.Stieger@gmx.de Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: --- Blocker: ---

From https://serf.googlecode.com/svn/tags/1.3.8/CHANGES Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx] Fix issue #152: CRC calculation error for gzipped http reponses > 4GB. Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed. Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.

Patches for previous releases: https://code.google.com/p/serf/source/detail?r=2313

Disable the use of deprecated and broken SSL 2.0.

* buckets/ssl_buckets.c (ssl_init_context): Disable SSLv2.

https://code.google.com/p/serf/source/detail?r=2433

Disable SSLv3 support (POODLE).

* buckets/ssl_buckets.c (ssl_init_context): Disable SSLv3, like already done for SSLv2.

Current versions: openSUSE 12.3: serf 1.1.1 (to be patched as above on buckets/ssl_buckets.c only) openSUSE 13.1: serf 1.3.7 (straight update) openSUSE 13.2: serf 1.3.7 (straight update) -- You are receiving this mail because: You are on the CC list for the bug.