Created attachment 980523 [details] Screenshot showing SSLv3 enabled in latest updated Midori on latest updated Fedora21 Description of problem: Midori is vulnerable to Poodle as SSLv3 is not disabled on Midori as per https://www.ssllabs.com/ssltest/viewMyClient.html . If you visit this link using Midori, the weblink shows the text ; POODLE Vulnerability Your user agent is vulnerable. You should disable SSL 3. Version-Release number of selected component (if applicable): # rpm -qa | grep midori midori-0.5.9-1.fc21.x86_64 # uname -a Linux mypc.loc.do 3.17.8-300.fc21.x86_64 #1 SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # yum -y update Loaded plugins: langpacks No packages marked for update # How reproducible: Every time you visit this link https://www.ssllabs.com/ssltest/viewMyClient.html Steps to Reproduce: 1. Install Fedora 2. Update OS & Midori 3. Use Midori to open https://www.ssllabs.com/ssltest/viewMyClient.html Actual results: If you visit this link using Midori, the weblink shows the text ; POODLE Vulnerability Your user agent is vulnerable. You should disable SSLv3 Expected results: Weblink should show SSLv3 not enabled on Midori Additional info: Someone on IRC said webkit update is need but I have the latest webkit from the repo for Fedora21
Moving this over to webkitgtk. SSLv3 was disabled there, so we need to see if it was not properly disabled or it's some kind of false positive or the like.
In WebKit1 based applications (webkitgtk == WebKit1) it is on the application itself to setup all the things (early during start) to avoid the POODLE vulnerability. See the announcement[0] and the bug[1]. [0] - https://lists.webkit.org/pipermail/webkit-gtk/2014-October/002110.html [1] - https://bugzilla.gnome.org/show_bug.cgi?id=738633
Who said I have webkit1 ? # rpm -qa | grep webkit webkitgtk3-2.4.8-1.fc21.x86_64 webkitgtk-2.4.8-1.fc21.x86_64 # cat /etc/issue Fedora release 21 (Twenty One) Kernel \r on an \m (\l) # uname -a Linux mypc.loc.do 3.17.8-300.fc21.x86_64 #1 SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # yum -y update Loaded plugins: langpacks No packages marked for update #
You said (and I stated it in my comment). Midori is using webkitgtk and that is WebKit1.
First I want to apologise sincerely for inappropriate comment. Next, I made wrong assumption and I did not give attention to the clear indication you provided i.e. webkitgtk == WebKit1. I am very sorry and I will avoid such behaviour in future. I think I am unreasonable disturbed that I have to work more after keeping Fedora21 updated. I apologise Tomas. Forgive me. @All, so will this bug be closed or do I have to look for a distro that ships WEbkit2 by default or just use Firefox. I sincerely apologise for misbehaving and hope to get some advise on what to do besides tweaking webkitgtk.
@Yuan: No reasons to apologize. We ship WebKit2 by default (in F21 it is in webkitgtk4 package, but Midori doesn't use it (you can try Epiphany (Web) application that's using it)). But anyway, someone have to check if Midori is actually doing anything against the POODLE.
ok. I misread the webkit1 information here. ;) Will push a patched midori here in a few with -SSLv3 support.
midori-0.5.9-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/midori-0.5.9-2.fc21
midori-0.5.9-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/midori-0.5.9-2.fc20
midori-0.5.9-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
midori-0.5.9-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.