mod_openssl for Apache is the offending package. On Thursday, March 12, 2015, David Guyot < david.gu...@europecamions-interactive.com> wrote:
> Hello. > > That's a good question you're asking here. I, too, think that an Apache > update should correct this default parameter. Nevertheless, it's > probably because it's just an Apache parameter, not an Apache fault as > such, that this default config have not been changed; I would say this > is not a priority for the Debian developers. The default Debian config > is designed as a balance between safety and usability, not as a vault > like OpenBSD: it will be safe in MOST situations, but not all of them. > Besides, Debian being a general purpose distro, the developers are > forced to make compromises on the default configuration to allow it to > function relatively well in most cases. That's why it can include config > choices which are not the best ones regarding security, but the best > compromise between security and usability, and between the various use > cases. > > Even if it is strongly recommended to disable SSLv3, for certain > installations like the ones above, it is not necessary. Beyond that, > even if the default Debian config is safe, it is relative: for example, > its default OpenSSH server config allows root login and login using > password, wich is not recommended at all if you want a truly secured > system, which is the case of most users with a publicly reachable Apache > server: those ones are supposed to take care of their Apache config, the > default one being designed not only for a publicly available website, > but also for internal sites, such as an intranet or a test server. > > Hoping that I'm right on my interpretation of this Apache update lack, > > Regards. > > Le jeudi 12 mars 2015 à 13:00 +0100, Vincent Lefevre a écrit : > > Why hasn't there been a security update of apache2 concerning SSLv3, > > making users vulnerable to POODLE when they use a client supporting > > SSLv3? > > > > According to various articles found via a Google search[*], it is > > strongly advised to disable SSLv3. Does Debian think differently? > > > > [*] in particular: > > > http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-on-server-really-a-solution > > > > The problem is that some admin assumes that Debian's default is safe > > thus doesn't want to change: > > > > > https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&group_id=1 > > > > "There was no update in the stable version, so the Debian > > security team didn't deem this critical enough. If Debian > > makes a security update this will be taken in account at > > InriaForge (and other Debian7-based sites) :)" > > > > -- > > Vincent Lefèvre <vinc...@vinc17.net <javascript:;>> - Web: < > https://www.vinc17.net/> > > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > > Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) > > > > > > -- > David Guyot > Administrateur système, réseau et télécom / Sysadmin > Europe Camions Interactive / Stockway > Moulin Collot > F-88500 Ambacourt > 03 29 30 47 85 >
