El 14/10/14 a las #4, John Andersen escribió:
On 10/14/2014 3:41 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to negotiate a downgrade AND a vulnerability is SSL 3.0.
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploi...
I think we should patch all clients and servers to disable SSLv3 in *future* products. maybe ..just maybe by axing SSL v3 support from openSSL completely.. this may not be an optimum solution because there is a lot of broken stuff out there..I need to hear security team's take on this before choosing a course of action for the distribution, for now it is prudent to disable SSlv3 in your browser of choice. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org