Vincent Lefevre wrote: > Jochen Spieker wrote: > > Vincent Lefevre: > > > Why hasn't there been a security update of apache2 concerning SSLv3, > > > making users vulnerable to POODLE when they use a client supporting > > > SSLv3? > > > > I think that is a difficult thing to do. We are talking about an unsafe > > default configuration which may have been changed by the local admin.
More specifically for SSLv3 it is something that would already be a custom configuration by the local admin. Therefore I wouldn't say "may have been changed". It will be a local configuration in a locally created file. > The Debian packaging system is able to detect changes in config files. > Then you have two kinds of admins: The Debian default Apache2 configuration for ssl is in local-ssl and it configures the self-signed so called "snakeoil" certificates. Anyone actually setting up SSL for secure public use *must* set a local configuration. For the case of POODLE vulnerability there isn't any case where the default is an acceptable configuration. It requires a local admin to have set the site configuration. The normal configuration for web servers such as Apache2 and Nginx is to keep site specific files. Each site is in its own configuration file. Even if the package were updated to change the local-ssl default file that file is not where the needed site configuration would normally exist. The number of people a package upgrade would help concerning POODLE is vanishingly small. I assert that it may be zero but it is a large world and mom told me to never say never. It might actually hurt. People who take the security upgrade might think they are then safe when they are not unless they have updated their local site configuration. A package upgrade for this might do more harm than good. Bob
signature.asc
Description: Digital signature
