On Thursday 12 March 2015 08:44:40 David Guyot wrote: > Hello. > > That's a good question you're asking here. I, too, think that an > Apache update should correct this default parameter. Nevertheless, > it's probably because it's just an Apache parameter, not an Apache > fault as such, that this default config have not been changed; I would > say this is not a priority for the Debian developers. The default > Debian config is designed as a balance between safety and usability, > not as a vault like OpenBSD: it will be safe in MOST situations, but > not all of them. Besides, Debian being a general purpose distro, the > developers are forced to make compromises on the default configuration > to allow it to function relatively well in most cases. That's why it > can include config choices which are not the best ones regarding > security, but the best compromise between security and usability, and > between the various use cases. > > Even if it is strongly recommended to disable SSLv3, for certain > installations like the ones above, it is not necessary. Beyond that, > even if the default Debian config is safe, it is relative: for > example, its default OpenSSH server config allows root login and login > using password, wich is not recommended at all if you want a truly > secured system, which is the case of most users with a publicly > reachable Apache server: those ones are supposed to take care of their > Apache config, the default one being designed not only for a publicly > available website, but also for internal sites, such as an intranet or > a test server. > > Hoping that I'm right on my interpretation of this Apache update lack,
Considering that I _am_ running an apache server here, AND it faces the world, this lack of a fix for POODLE, seems to be a serious lack on the part of the apache people for not pushing a fix, with lots of noise, or if its available, a fairly serious screw you attitude on the part of the debian folks in control of that. Strong language maybe, but it needs to be said. > > Regards. > > Le jeudi 12 mars 2015 à 13:00 +0100, Vincent Lefevre a écrit : > > Why hasn't there been a security update of apache2 concerning SSLv3, > > making users vulnerable to POODLE when they use a client supporting > > SSLv3? > > > > According to various articles found via a Google search[*], it is > > strongly advised to disable SSLv3. Does Debian think differently? > > > > [*] in particular: > > http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-o > >n-server-really-a-solution > > > > The problem is that some admin assumes that Debian's default is safe > > thus doesn't want to change: > > > > > > https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&grou > >p_id=1 > > > > "There was no update in the stable version, so the Debian > > security team didn't deem this critical enough. If Debian > > makes a security update this will be taken in account at > > InriaForge (and other Debian7-based sites) :)" > > > > -- > > Vincent Lefèvre <vinc...@vinc17.net> - Web: > > <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: > > <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic > > / AriC project (LIP, ENS-Lyon) Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201503120907.12375.ghesk...@wdtv.com
