On 2015-03-12 14:55:46 +0100, Jochen Spieker wrote: > Vincent Lefevre: > > Why hasn't there been a security update of apache2 concerning SSLv3, > > making users vulnerable to POODLE when they use a client supporting > > SSLv3? > > I think that is a difficult thing to do. We are talking about an unsafe > default configuration which may have been changed by the local admin.
The Debian packaging system is able to detect changes in config files. Then you have two kinds of admins: 1. Those who don't change anything, e.g. because they don't need to change anything and they trust Debian for a sane default config. This is the case with the admin I was mentioning. A change of the default configuration would not hurt here. 2. Those who change the default config. Then this would be detected in the upgrade. This means that a manual change may be needed by the admin to keep his config file *and* disable SSLv3, but since the admin has already done changes, I doubt that he would mind to do yet another change for security reasons (and without a Debian security update, a manual change is needed anyway). > Debian maintainers have to way to enforce this (short of disabling > compile-time parameters) and I don't think it would be a good idea to do > any of that. > > If Debian stable suddenly stopped supporting SSLv3, many sites would > break for users with legacy software. But SSLv3-only clients are unsafe and already break with many sites. It might still be useful for some intranets, that's why it may be better to just change the config file for now, and I don't see any problem with that. An admin can still revert the change in a config file if need be. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150312162633.ga14...@ypig.lip.ens-lyon.fr
