fixed 1.6.2-3 thanks Confirmed: This was done already. The commit this was done in was this one: http://anonscm.debian.org/cgit/collab-maint/nginx.git/commit/?id=9a4e0f0a698bee2b03b7f417ad9286e5eb22141e
1.6.2-3, which had this fix already, was uploaded and accepted to Unstable on 2014-10-16, according to the package tracker (https://packages.qa.debian.org/n/nginx.html) This is confirmed in the 1.6.2-4 changelog in Unstable (http://metadata.ftp-master.debian.org/changelogs/main/n/nginx/unstable_changelog). Dissection of the package 1.6.2-4 also shows that the default SSL stanza has an ssl_protocols line of `ssl_protocols TLSv1 TLSv1.1 TLSv1.2`. Coupled with the OpenSSL updates made by the Debian security team to support TLS_FALLBACK_SCSV to prevent the protocol downgrade attack from TLSv1 to SSLv3, POODLE is effectively mitigated with the now-default config stanzas for SSL. (This assumes also that a user is using the default SSL config sections. A large portion of (albeit newer) users do use the default config stanzas, or at least use it as a base, and it can be argued that competent administrators will already disable the vulnerable protocols in their own site configs separately.) ------ Thomas Ward On Fri, Oct 31, 2014 at 7:28 AM, Thomas Ward <tew...@dark-net.net> wrote: > I thought this was already done? I checked the packaging myself and this > change was already in there, or at least in git. (the default ssl stanza in > the config has SSLv3 dropped from the ciphers list in the git tree for the > Debian package already, I checked the commit logs myself) > > > ------ > Thomas > > >> On Oct 31, 2014, at 03:37, Thijs Kinkhorst <th...@debian.org> wrote: >> >> Package: nginx >> Version: 1.6.2-2 >> Severity: important >> >> Hi, >> >> Please disable the legacy SSLv3 protocol by default for installations of >> nginx. It doesn't need to be disabled completely per se, but should not >> be available on a default installation. >> >> This helps to defend against the recent "POODLE" attack (CVE-2014-3566). >> >> Thanks, >> Thijs >> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
