LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - News
User Name
Password
Linux - News This forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.

Notices


Reply
  Search this Thread
Old 10-13-2014, 10:14 AM   #1
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
SSLv3 Vulnerability (CVE-2014-3566, POODLE)


anyone have any idea what this new SSLv3 issue might be, as hinted by Krebs?
 
Old 10-15-2014, 03:08 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
I've renamed this threads title and stickied it for the time being. Also, with all due respect, I've deleted the attachment as it should remain at the site where it originates for several reasons (see PDF link below).

http://googleonlinesecurity.blogspot...ng-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://www.imperialviolet.org/2014/10/14/poodle.html
http://cve.mitre.org/cgi-bin/cvename...=CVE-2014-3566
 
Old 10-16-2014, 02:32 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
*Also note https://www.openssl.org/news/secadv_20141015.txt holds 3 CVEs:
- CVE-2014-3513 (DoS) affecting OpenSSL 1.0.1 before 1.0.1j,
- CVE-2014-3567 (DoS) affecting all 0.9.8, 1.0.0 and 1.0.1 users,
- CVE-2014-3568 affecting all 0.9.8, 1.0.0 and 1.0.1 users.
 
Old 10-17-2014, 03:28 PM   #4
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack

US-CERT has released the subject Alert: see https://www.us-cert.gov/ncas/alerts/TA14-290A.

The alert includes description, impact and solution information.

Hope this helps some.

Last edited by tronayne; 10-17-2014 at 03:34 PM.
 
Old 10-17-2014, 09:09 PM   #5
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Original Poster
Rep: Reputation: 62
and something related..... oh-g, hmmm, its like y2k, but at least y2k provoked millions of $$ to consultants to try and fix the issue before it happened, and yrs prior to 2000. look around, big guys like ahoo, MS, and gool still using SHA1 certs....

https://www.symantec.com/page.jsp?id=sha2-transition
https://blog.mozilla.org/security/20...re-algorithms/
https://www.digicert.com/sha-2-ssl-certificates.htm
 
Old 12-10-2014, 01:54 PM   #6
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack

Original release date: October 17, 2014 | Last revised: December 10, 2014

See revised notice at https://www.us-cert.gov/ncas/alerts/TA14-290A.

Note the recommended SSL versions:
  • OpenSSL 1.0.1 users should upgrade to 1.0.1j.
  • OpenSSL 1.0.0 users should upgrade to 1.0.0o.
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Hope this helps some.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Servers and Poodle (SSLv3, CVE-2014-3566) tux100 Linux - Security 2 10-15-2014 08:10 PM
vulnerability scanning using NMAP on CVE-2014-0322 vulnerability,check vulnerable meeiyoke Linux - Security 2 06-06-2014 06:09 PM
vulnerability scanning using NMAP on CVE-2014-0322 vulnerability,check vulnerable . meeiyoke Linux - Newbie 1 06-06-2014 01:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - News

All times are GMT -5. The time now is 06:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration