Bug 1274888
Summary: | httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Pat Riehecky <riehecky> |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.7 | CC: | ajb, cww, jlyle, misterbonnie, qe-baseos-apps, toracat |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1274876 | Environment: | |
Last Closed: | 2017-05-31 22:52:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1269194 |
Description
Pat Riehecky
2015-10-23 18:48:35 UTC
Potential Patch: --- SOURCES/ssl.conf 2015-10-30 10:26:57.000000000 -0500 +++ SOURCES/ssl.conf 2015-10-30 10:27:12.000000000 -0500 @@ -96,8 +96,8 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. Potential Patch: --- SOURCES/ssl.conf 2015-10-30 10:26:57.000000000 -0500 +++ SOURCES/ssl.conf 2015-10-30 10:27:12.000000000 -0500 @@ -96,8 +96,8 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com |