Why hasn't there been a security update of apache2 concerning SSLv3, making users vulnerable to POODLE when they use a client supporting SSLv3?
According to various articles found via a Google search[*], it is strongly advised to disable SSLv3. Does Debian think differently? [*] in particular: http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-on-server-really-a-solution The problem is that some admin assumes that Debian's default is safe thus doesn't want to change: https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&group_id=1 "There was no update in the stable version, so the Debian security team didn't deem this critical enough. If Debian makes a security update this will be taken in account at InriaForge (and other Debian7-based sites) :)" -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150312120039.ge10...@ypig.lip.ens-lyon.fr
