![](https://seccdn.libravatar.org/avatar/b4047644c59f2d63b88e9464c02743fd.jpg?s=120&d=mm&r=g)
On 10/14/2014 6:30 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
On 10/14/2014 3:41 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to negotiate a downgrade AND a vulnerability is SSL 3.0.
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploi...
I think we should patch all clients and servers to disable SSLv3 in *future* products. maybe ..just maybe by axing SSL v3 support from openSSL completely.. this may not be an optimum solution because there is a lot of broken stuff out there..I need to hear security team's take on this before choosing a course of action for the distribution, for now it is prudent to disable SSlv3 in your browser of choice.
Apparently there are fixes available for this already, but Turns out there is even more to worry about: http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/ Is LibreSSL an option yet? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org