I thought this was already done? I checked the packaging myself and this change was already in there, or at least in git. (the default ssl stanza in the config has SSLv3 dropped from the ciphers list in the git tree for the Debian package already, I checked the commit logs myself)
------ Thomas > On Oct 31, 2014, at 03:37, Thijs Kinkhorst <th...@debian.org> wrote: > > Package: nginx > Version: 1.6.2-2 > Severity: important > > Hi, > > Please disable the legacy SSLv3 protocol by default for installations of > nginx. It doesn't need to be disabled completely per se, but should not > be available on a default installation. > > This helps to defend against the recent "POODLE" attack (CVE-2014-3566). > > Thanks, > Thijs > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
