SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
Yes, there's a kind of inconsistency here.
While Package Tracking System page shows that 1.0.1j-1 is in Testing, the actual package info page still shows 1.0.1i-2.
I think it's because not all the mirrors have been updated yet.
While Package Tracking System page shows that 1.0.1j-1 is in Testing, the actual package info page still shows 1.0.1i-2.
I think it's because not all the mirrors have been updated yet.
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
the version that fixes the "POODLE" vulnerability is 1.0.1j-1, entered testing yesterday
Code: Select all
Start-Date: 2014-10-21 08:24:35
Commandline: apt-get dist-upgrade
Upgrade: man-db:amd64 (2.7.0.2-1, 2.7.0.2-2), libssl1.0.0:amd64 (1.0.1i-2, 1.0.1j-1), libssl1.0.0:i386 (1.0.1i-2, 1.0.1j-1), libgail18:amd64 (2.24.24-1, 2.24.25-1), libgail18:i386 (2.24.24-1, 2.24.25-1), libwxbase3.0-0:amd64 (3.0.1-3, 3.0.2-1+b1), openssh-server:amd64 (6.6p1-8, 6.7p1-2), grub-common:amd64 (2.02~beta2-14, 2.02~beta2-15), libsigc++-2.0-0c2a:amd64 (2.2.11-4, 2.4.0-1), libsigc++-2.0-0c2a:i386 (2.2.11-4, 2.4.0-1), gtk2-engines-pixbuf:amd64 (2.24.24-1, 2.24.25-1), gtk2-engines-pixbuf:i386 (2.24.24-1, 2.24.25-1), openssh-sftp-server:amd64 (6.6p1-8, 6.7p1-2), libappstream-dev:amd64 (0.7.2-1, 0.7.3-1), libgtk2.0-bin:amd64 (2.24.24-1, 2.24.25-1), libgtk2.0-common:amd64 (2.24.24-1, 2.24.25-1), python-cryptography:amd64 (0.6-1, 0.6.1-1), gir1.2-gtk-2.0:amd64 (2.24.24-1, 2.24.25-1), grub2-common:amd64 (2.02~beta2-14, 2.02~beta2-15), ssh:amd64 (6.6p1-8, 6.7p1-2), openssh-client:amd64 (6.6p1-8, 6.7p1-2), libgtk2.0-0:amd64 (2.24.24-1, 2.24.25-1), libgtk2.0-0:i386 (2.24.24-1, 2.24.25-1), grub-pc-bin:amd64 (2.02~beta2-14, 2.02~beta2-15), libsub-identify-perl:amd64 (0.04-2+b1, 0.08-1), grub-pc:amd64 (2.02~beta2-14, 2.02~beta2-15), libwxgtk3.0-0:amd64 (3.0.1-3, 3.0.2-1+b1), wpasupplicant:amd64 (2.2-1, 2.3-1), libssl-doc:amd64 (1.0.1i-2, 1.0.1j-1), libappstream1:amd64 (0.7.2-1, 0.7.3-1), openssl:amd64 (1.0.1i-2, 1.0.1j-1), liborcus-0.8-0:amd64 (0.7.0+dfsg-7, 0.7.0+dfsg-9), libgtk2.0-dev:amd64 (2.24.24-1, 2.24.25-1), libgail-common:i386 (2.24.24-1, 2.24.25-1)
End-Date: 2014-10-21 08:26:14
Code: Select all
openssl (1.0.1j-1) unstable; urgency=high
* New upstream release
- Fixes CVE-2014-3513
- Fixes CVE-2014-3567
- Add Fallback SCSV support to mitigate CVE-2014-3566
- Fixes CVE-2014-3568
* Disables SSLv3 because of CVE-2014-3566
* Update dgst_hmac.patch to apply to new upstream version
* Drop rehash_pod.patch, applied upstream
* Fix openssl_fix_for_x32.patch to apply to new upstream version
-- Kurt Roeckx <kurt@roeckx.be> Wed, 15 Oct 2014 19:06:38 +0200
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
Ok, now I see it in the nearest mirror as well. But it still looks like not all the mirrors are up-to-date yet.
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
Ok, openssl 1.0.1j-1 is in LMDE repo now.
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
This bug also exists in evolution
Debian Bug link + patch proposal from redhat source:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=765838
Remark:
The version in lmde is
Debian Bug link + patch proposal from redhat source:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=765838
Remark:
The version in lmde is
The version in debian/testing isevolution 3.8.5-2+b1
cf https://packages.debian.org/jessie/evolutionPackage: evolution (3.12.6-1)
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Poodle SSL version 3 exploit. Is it fixed? Also Firefox 28
http://chrisburgess.com.au/how-to-test- ... erability/
https://zmap.io/sslv3/
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://technet.microsoft.com/en-us/lib ... 09008.aspx
https://access.redhat.com/articles/1232123
https://www.poodletest.com/
Is Mint 17 using SSL at all? I did find in package manager libnss3 but it's info only mentions sslv2 and v4, not version 3. When I run a search there for sslv3 I do find other packages, but none which are installed in Mint 17. Is the vulnerability only with the browser then?
As you can see the FF28 seems to have all SSL3 and also TLS available. Would removing all the SSL3 solve it's vulnerability? Force it to use TLS only?
https://zmap.io/sslv3/
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://technet.microsoft.com/en-us/lib ... 09008.aspx
https://access.redhat.com/articles/1232123
https://www.poodletest.com/
Is Mint 17 using SSL at all? I did find in package manager libnss3 but it's info only mentions sslv2 and v4, not version 3. When I run a search there for sslv3 I do find other packages, but none which are installed in Mint 17. Is the vulnerability only with the browser then?
As you can see the FF28 seems to have all SSL3 and also TLS available. Would removing all the SSL3 solve it's vulnerability? Force it to use TLS only?
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox
I found this;
http://security.stackexchange.com/quest ... nerability
http://security.stackexchange.com/quest ... nerability
I also previously changed all those SSL3 settings in Firefox 28 to "false". So far no problems signing in to several sites I use. I'll have to keep an eye on it for awhile.Firefox
Firefox users can type about:config into their address bar and then security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1. The existing setting allows Firefox to use SSLv3 where it's available and if it's required. By changing the setting you will force Firefox to only ever use TLSv1.0 or better, which is not vulnerable to POODLE.
Last edited by Spearmint2 on Wed Dec 03, 2014 7:29 pm, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox
Everything that had to be told about the "Poodle" vulnerability had been collected in this thread: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
This is where this thread will be merged into ...
Karl
This is where this thread will be merged into ...
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
thanks Karl, only noticed it mentioned elsewhere recently. Seemed fairly new.
Also, don't change the SSL3 settings if you use yahoo or aol mail, and probably other webmail, it interferes. It will still pass the poodle test as being corrected with just that TLS fix.
Also, don't change the SSL3 settings if you use yahoo or aol mail, and probably other webmail, it interferes. It will still pass the poodle test as being corrected with just that TLS fix.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
Hi, Culex.
I have my doubts that Symantec, to whom you addressed your question, is very likely to monitor the Linux Mint forum and to give any answers about their Windows software here. Or did I miss something perhaps?
Cheers,
Karl
I have my doubts that Symantec, to whom you addressed your question, is very likely to monitor the Linux Mint forum and to give any answers about their Windows software here. Or did I miss something perhaps?
Cheers,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Turla. Poodle Attack on TLS.
Turla
http://arstechnica.com/security/2014/12 ... for-years/
https://securelist.com/blog/research/67 ... n-turla-2/
Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems.
"The [Turla] operations are being carried out in broader environments than we previously knew," Kaspersky Lab expert Kurt Baumgartner told Ars. "All the other stuff we've seen from Turla has been windows based. This piece of the puzzle shows us that they do not limit themselves."
Magic Numbers
Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.
"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways." Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. (more at link)
Poodle vs TLS
http://www.net-security.org/secworld.php?id=17735
http://arstechnica.com/security/2014/12 ... for-years/
https://securelist.com/blog/research/67 ... n-turla-2/
Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems.
"The [Turla] operations are being carried out in broader environments than we previously knew," Kaspersky Lab expert Kurt Baumgartner told Ars. "All the other stuff we've seen from Turla has been windows based. This piece of the puzzle shows us that they do not limit themselves."
Magic Numbers
Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.
"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways." Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. (more at link)
Poodle vs TLS
http://www.net-security.org/secworld.php?id=17735
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
-
- Level 6
- Posts: 1491
- Joined: Fri Feb 22, 2013 5:18 pm
- Location: United States
Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox
I just checked and our current version of Firefox (via Update Manager) is 34.0 - does any of this still need to be done, or has it been taken care of by the Mozilla team in this version?Spearmint2 wrote:I also previously changed all those SSL3 settings in Firefox 28 to "false". So far no problems signing in to several sites I use. I'll have to keep an eye on it for awhile.
Regards,
MDM
Mint 18 Xfce 4.12.
If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
https://blog.mozilla.org/security/2014/ ... f-ssl-3-0/
tl;dr SSLv3 is disabled in firefox 34 (according to that article)
tl;dr SSLv3 is disabled in firefox 34 (according to that article)
Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
I have ff 34.0 and checked the settings:
edit: removed attempted image insert - I got it wrong....
NOTE: I've not used an image before, in case I get it wrong, the data is:
PREFERENCE NAME / STATUS / TYPE / VALUE
security.tls.version.min;1 / default / integer / 1
services.sync.prefs.sync.security.tls.version.min / default / boolean / true
edit: removed attempted image insert - I got it wrong....
NOTE: I've not used an image before, in case I get it wrong, the data is:
PREFERENCE NAME / STATUS / TYPE / VALUE
security.tls.version.min;1 / default / integer / 1
services.sync.prefs.sync.security.tls.version.min / default / boolean / true