** Description changed:
The included `default` config file contains a commented-out section for
SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`.
This means that systems are vulnerable to SSLv3 and the POODLE
vulnerability.
Can we remove that from the default section, even though it's commented
out, so users don't use the insecure SSLv3 protocol anymore?
------
In the PPAs, this affects all versions of the package in both Stable and
Mainline.
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the
package.
+
+ This change was already made in Debian Unstable.
** Description changed:
The included `default` config file contains a commented-out section for
SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`.
This means that systems are vulnerable to SSLv3 and the POODLE
vulnerability.
Can we remove that from the default section, even though it's commented
out, so users don't use the insecure SSLv3 protocol anymore?
------
- In the PPAs, this affects all versions of the package in both Stable and
- Mainline.
+ NGINX Project:
+ In the PPAs, this affects all versions of the package in both Stable and
Mainline.
+
+ ------
+
+ Ubuntu Project:
In Ubuntu, this affects the Precise, Trusty, and Utopic versions of the
package.
- This change was already made in Debian Unstable.
+ This change was already made/committed in Debian Unstable.
** Also affects: nginx (Ubuntu)
Importance: Undecided
Status: New
** Changed in: nginx
Assignee: (unassigned) => Thomas Ward (teward)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1383379
Title:
nginx default config has SSLv3 enabled, makes sites using default
config options vulnerable to POODLE
To manage notifications about this bug go to:
https://bugs.launchpad.net/nginx/+bug/1383379/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
