oss-sec mailing list archives
Re: Truly scary SSL 3.0 vuln to be revealed soon:
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Fri, 17 Oct 2014 15:40:31 -0400
On 10/16/2014 12:42 PM, Sona Sarmadi wrote:
Hanno Böck wrote:It's out: https://www.openssl.org/~bodo/ssl-poodle.pdf http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.htmlOpenSSL has patches for this and 3 other vulnerabilities: https://www.openssl.org/news/secadv_20141015.txt GnuTLS also implements the SSLv3 protocol, does anyone know if there are any patches for GnuTLS for the SSL 3.0 protocol vulnerability?
Please see: http://www.gnutls.org/security.html#GNUTLS-SA-2014-4 and Nikos' writeup here: http://nmav.gnutls.org/2014/10/what-about-poodle.html From the latter link:
The good news is, that only browsers use this construct, and no other applications should be affected.
Nikos (or anyone else on OSS-security), are you sure that only browsers
do this? what about mail clients like Thunderbird or Mail.app making
IMAPS or POPS or submission connections?
--dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Truly scary SSL 3.0 vuln to be revealed soon:, (continued)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: mancha (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Krassimir Tzvetanov (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Ben Lincoln (0E1C7DBB - OSS) (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: ishish (Oct 16)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 16)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Daniel Kahn Gillmor (Oct 17)
- neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) mancha (Oct 17)
- Re: neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) Nikos Mavrogiannopoulos (Oct 18)
- Re: Re: neuter the poodle mancha (Oct 18)
- Re: Re: neuter the poodle Nikos Mavrogiannopoulos (Oct 18)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Mark Felder (Oct 17)