Investigate what to do for Tails 1.2.1 about the POODLE vulnerability
#1 Updated by intrigeri over 5 years ago
- system-wide NSS
- TB's NSS
- system-wide OpenSSL
- system-wide GnuTLS
Debian updates: https://security-tracker.debian.org/tracker/CVE-2014-3566
#5 Updated by intrigeri over 5 years ago
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 20
- Tor Browser's NSS: fixed already by disabling SSLv3
- Pidgin: not fixed (upstream ticket), but should not be vulnerable unless it implements the downgrade dance itself
- Claws Mail: uses GnuTLS; 3.11.0, that disables SSLv3 altogether, should reach testing in two days, and then it can be backported (beware, the backport changelog says scary things like "This makes the complete certificate chain not available"); maybe the backport would be less buggy than the Wheezy package. No idea if the version in Wheezy implements any kind of crazy downgrade dance. Alternatively, we could cherry-pick the upstream commit that disables SSLv3; this might be an appropriate change for wheezy-security.
- system-wide NSS (used e.g. by openjdk-7-jre, that is I2P, LibreOffice and others): still supports SSLv3, so can be used inappropriately by applications if they implement some crazy downgrade dance
- system-wide OpenSSL: still supports SSLv3, so can be used inappropriately by applications if they implement some crazy downgrade dance; fixed in sid by disabling SSLv3; we can cherry-pick the commit that disables SSLv3
- system-wide GnuTLS 2.6: still supports SSLv3, so can be used inappropriately by applications if they implement some crazy downgrade dance
#6 Updated by intrigeri over 5 years ago
- Assignee changed from intrigeri to anonym
My opinion on what we should do: nothing, let's hope that Tor Browser was the only application we ship that does a crazy downgrade dance. Anything else requires locally patching Debian packages, and would make our stuff more painful to maintain, which we don't need.
If/once a Claws Mail 3.11 backport appears, we can still reconsider shipping it for other reasons. We'll want to double-check that it doesn't weaken certificate verification, though.
anonym (and others), what do you think?
#7 Updated by anonym over 5 years ago
- Status changed from In Progress to Resolved
- Assignee deleted (
- % Done changed from 20 to 100
Agreed. I've looked around and all I've gathered indicates that the POODLE vulnerability pretty much requires a modern web browser context to be exploitable. Closing this ticket.