Hello. That's a good question you're asking here. I, too, think that an Apache update should correct this default parameter. Nevertheless, it's probably because it's just an Apache parameter, not an Apache fault as such, that this default config have not been changed; I would say this is not a priority for the Debian developers. The default Debian config is designed as a balance between safety and usability, not as a vault like OpenBSD: it will be safe in MOST situations, but not all of them. Besides, Debian being a general purpose distro, the developers are forced to make compromises on the default configuration to allow it to function relatively well in most cases. That's why it can include config choices which are not the best ones regarding security, but the best compromise between security and usability, and between the various use cases.
Even if it is strongly recommended to disable SSLv3, for certain installations like the ones above, it is not necessary. Beyond that, even if the default Debian config is safe, it is relative: for example, its default OpenSSH server config allows root login and login using password, wich is not recommended at all if you want a truly secured system, which is the case of most users with a publicly reachable Apache server: those ones are supposed to take care of their Apache config, the default one being designed not only for a publicly available website, but also for internal sites, such as an intranet or a test server. Hoping that I'm right on my interpretation of this Apache update lack, Regards. Le jeudi 12 mars 2015 à 13:00 +0100, Vincent Lefevre a écrit : > Why hasn't there been a security update of apache2 concerning SSLv3, > making users vulnerable to POODLE when they use a client supporting > SSLv3? > > According to various articles found via a Google search[*], it is > strongly advised to disable SSLv3. Does Debian think differently? > > [*] in particular: > http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-on-server-really-a-solution > > The problem is that some admin assumes that Debian's default is safe > thus doesn't want to change: > > https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&group_id=1 > > "There was no update in the stable version, so the Debian > security team didn't deem this critical enough. If Debian > makes a security update this will be taken in account at > InriaForge (and other Debian7-based sites) :)" > > -- > Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) > > -- David Guyot Administrateur système, réseau et télécom / Sysadmin Europe Camions Interactive / Stockway Moulin Collot F-88500 Ambacourt 03 29 30 47 85
signature.asc
Description: This is a digitally signed message part
