** Description changed: + [Impact] + + * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. + * Users who have clients that don't support TLS1.0 will not be able to connect, unless + they specify the additional options in cupsd.conf. + + [Test Case] + + * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None + * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. + * Same but specify SSLOptions to AllowSSL3 or AllowRC4. + + [Regression Potential] + + * One assumption was this should only affect WinXP and even then only + IE6 winxp users. If incorrect more could be affected. + + * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in + some unknown corner case. There's no evidence of this and other distros + have deployed a very similar patch. + + [Other Info] + + * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. + + On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on?
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1505328 Title: Cups SSL is vulernable to POODLE Status in cups package in Ubuntu: New Bug description: [Impact] * Cups in Trusty is vulnerbable to the Poodle SSLv3. This disables it by default. * Users who have clients that don't support TLS1.0 will not be able to connect, unless they specify the additional options in cupsd.conf. [Test Case] * Install cupsd with /etc/cups/cupsd.conf SSL options SSLPort 443 and SSLOptions None * This should show up as having RC4 and SSLv3 disabled via a test like ssllabs. * Same but specify SSLOptions to AllowSSL3 or AllowRC4. [Regression Potential] * One assumption was this should only affect WinXP and even then only IE6 winxp users. If incorrect more could be affected. * The biggest issue could be that AllowSSL3 or AllowRC4 don't work in some unknown corner case. There's no evidence of this and other distros have deployed a very similar patch. [Other Info] * Only targetting 14.04 because of my assumption that if you're on 12.04 you are more likely to have older clients connecting to it. Original description: On 12.04 and 14.04 if you enable cups ssl you are vulnerable to poodle, and there does not appear to be any way to mitigate it in Cups config. Ubuntu 14.04 - https://www.ssllabs.com/ssltest/analyze.html?d=190.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on Ubuntu 12.04 - https://www.ssllabs.com/ssltest/analyze.html?d=191.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on Fixed in wily - https://www.ssllabs.com/ssltest/analyze.html?d=192.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on Upstream fix - https://www.cups.org/str.php?L4476 Should we disable ssvl3 in the 12.04/14.04 cups by default and backport the option to turn it back on? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
