Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
As per #779082, ircd-hybrid in wheezy (when recompiled to support SSL) currently listens on SSLv3, which could be exposing a risk of a POODLE attack. The patch to disable SSLv3 is simple, and I've attached a tested package diff. The Debian security team treats this as a no-dsa issue. Please let me know if it's okay to upload. Thanks, Dominic. -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init)
diff --git a/debian/changelog b/debian/changelog index eeaac9d..8d038f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ircd-hybrid (1:7.2.2.dfsg.2-10+deb7u1) stable; urgency=medium + + * Disable SSLv3 to mitigate against the POODLE vulnerability + (Closes: #767026) + + -- Dominic Hargreaves <d...@earth.li> Sun, 05 Apr 2015 18:33:33 +0100 + ircd-hybrid (1:7.2.2.dfsg.2-10) unstable; urgency=high * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask() diff --git a/debian/patches/00list b/debian/patches/00list index 0bae9d0..a358c33 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -20,4 +20,5 @@ 21-dpkg-buildflags 22-getopt.dpatch 23-netmask-dos.dpatch +24-disable-sslv3.dpatch 98_patchlevel_debian diff --git a/debian/patches/24-disable-sslv3.dpatch b/debian/patches/24-disable-sslv3.dpatch new file mode 100755 index 0000000..78427f9 --- /dev/null +++ b/debian/patches/24-disable-sslv3.dpatch @@ -0,0 +1,25 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 24-disable-sslv3.dpatch by Sebastian Andrzej Siewior <sebast...@breakpoint.cc> +## +## DP: Disable SSLv3 to mitigate against the POODLE attack +## +## All lines beginning with `## DP:' are a description of the patch. + +diff --git a/src/ircd.c b/src/ircd.c +--- a/src/ircd.c ++++ b/src/ircd.c +@@ -512,7 +512,7 @@ init_ssl(void) + ilog(L_CRIT, "ERROR: Could not initialize the SSL context -- %s\n", s); + } + +- SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2); ++ SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_TLS_ROLLBACK_BUG|SSL_OP_ALL); + SSL_CTX_set_verify(ServerInfo.ctx, SSL_VERIFY_NONE, NULL); + +-- +1.7.10.4 + + +Sebastian +
