On Thu, Mar 12, 2015 at 09:07:12AM -0400, Gene Heskett wrote: > On Thursday 12 March 2015 08:44:40 David Guyot wrote: > > Hello. > > > > That's a good question you're asking here. I, too, think that an > > Apache update should correct this default parameter. Nevertheless, > > it's probably because it's just an Apache parameter, not an Apache > > fault as such, that this default config have not been changed; I would > > say this is not a priority for the Debian developers. The default > > Debian config is designed as a balance between safety and usability, > > not as a vault like OpenBSD: it will be safe in MOST situations, but > > not all of them. Besides, Debian being a general purpose distro, the > > developers are forced to make compromises on the default configuration > > to allow it to function relatively well in most cases. That's why it > > can include config choices which are not the best ones regarding > > security, but the best compromise between security and usability, and > > between the various use cases. > > > > Even if it is strongly recommended to disable SSLv3, for certain > > installations like the ones above, it is not necessary. Beyond that, > > even if the default Debian config is safe, it is relative: for > > example, its default OpenSSH server config allows root login and login > > using password, wich is not recommended at all if you want a truly > > secured system, which is the case of most users with a publicly > > reachable Apache server: those ones are supposed to take care of their > > Apache config, the default one being designed not only for a publicly > > available website, but also for internal sites, such as an intranet or > > a test server. > > > > Hoping that I'm right on my interpretation of this Apache update lack, > > Considering that I _am_ running an apache server here, AND it faces the > world, this lack of a fix for POODLE, seems to be a serious lack on the > part of the apache people for not pushing a fix, with lots of noise, or > if its available, a fairly serious screw you attitude on the part of the > debian folks in control of that. Strong language maybe, but it needs to > be said.
Hang on. If you're aware of POODLE and you've not taken steps to mitigate it, aren't you the one at fault? I mean, yes, debian could put out a patch which changes the default settings but this probably won't affect vservers, or other configuration files stashed about the place. Perhaps people just need to be made more aware of robust SSL settings for apache: https://cipherli.st/ > > > > Regards. > > > > Le jeudi 12 mars 2015 à 13:00 +0100, Vincent Lefevre a écrit : > > > Why hasn't there been a security update of apache2 concerning SSLv3, > > > making users vulnerable to POODLE when they use a client supporting > > > SSLv3? > > > > > > According to various articles found via a Google search[*], it is > > > strongly advised to disable SSLv3. Does Debian think differently? > > > > > > [*] in particular: > > > http://serverfault.com/questions/637706/poodle-is-disabling-ssl-v3-o > > >n-server-really-a-solution > > > > > > The problem is that some admin assumes that Debian's default is safe > > > thus doesn't want to change: > > > > > > > > > https://gforge.inria.fr/tracker/?func=detail&atid=110&aid=18743&grou > > >p_id=1 > > > > > > "There was no update in the stable version, so the Debian > > > security team didn't deem this critical enough. If Debian > > > makes a security update this will be taken in account at > > > InriaForge (and other Debian7-based sites) :)" > > > > > > -- > > > Vincent Lefèvre <vinc...@vinc17.net> - Web: > > > <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: > > > <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic > > > / AriC project (LIP, ENS-Lyon) > > Cheers, Gene Heskett > -- > "There are four boxes to be used in defense of liberty: > soap, ballot, jury, and ammo. Please use in that order." > -Ed Howdershelt (Author) > Genes Web page <http://geneslinuxbox.net:6309/gene> > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: https://lists.debian.org/201503120907.12375.ghesk...@wdtv.com >
signature.asc
Description: Digital signature
