Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-16 Thread Otavio Salvador
On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross wrote: > On 15 October 2014 16:31, Burton, Ross wrote: >> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including >> "disabling SSLv3 didn't work"...). I think considering the situation >> we'd take the upgrade for dizzy, even though we've

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-16 Thread Burton, Ross
On 15 October 2014 16:31, Burton, Ross wrote: > There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including > "disabling SSLv3 didn't work"...). I think considering the situation > we'd take the upgrade for dizzy, even though we've frozen. Anyone > volunteering to take lead of upgrading di

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-16 Thread Burton, Ross
On 16 October 2014 17:09, Sona Sarmadi wrote: > Do you know if gnutls implements the SSLv3 protocol? I don't see any new > security updates for gnutls (related to the SSLv3 vulnerability) ? Yes it does, and no there isn't. Ross -- ___ Openembedded-c

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-16 Thread Sona Sarmadi
Ross, > > Presumably the list of affected packages is: > > - gnutls > > - openssl > > - nss > > There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling > SSLv3 didn't work"...). I think considering the situation we'd take the > upgrade for dizzy, even though we've frozen. A

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-16 Thread Sona Sarmadi
Hi Ross > There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling > SSLv3 didn't work"...). I think considering the situation we'd take the > upgrade for dizzy, even though we've frozen. Anyone volunteering to take > lead of upgrading dizzy to 1.0.1j and backporting the rele

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-15 Thread Bryan Evenson
rg; openembedded- > c...@lists.openembedded.org > Subject: Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon: > > On 15 October 2014 07:48, Sona Sarmadi wrote: > > The advice is: Disable SSLv3. > > > > I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=68

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-15 Thread Burton, Ross
On 15 October 2014 11:07, Burton, Ross wrote: > Presumably the list of affected packages is: > - gnutls > - openssl > - nss There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling SSLv3 didn't work"...). I think considering the situation we'd take the upgrade for dizzy, even

Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-15 Thread Burton, Ross
On 15 October 2014 07:48, Sona Sarmadi wrote: > The advice is: Disable SSLv3. > > I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 so we can > start to work with this immediately. Presumably the list of affected packages is: - gnutls - openssl - nss Are there more? Will ENEA b

[OE-core] Truly scary SSL 3.0 vuln to be revealed soon:

2014-10-14 Thread Sona Sarmadi
Hi guys, Yesterday The Register published this: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/ and today following was published: https://www.openssl.org/~bodo/ssl-poodle.pdf http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.