[Bugs] [Bug 1157661] GlusterFS allows insecure SSL modes

bugzilla at redhat.com bugzilla at redhat.com
Tue Oct 28 15:49:46 UTC 2014 

https://bugzilla.redhat.com/show_bug.cgi?id=1157661



--- Comment #3 from Anand Avati <aavati at redhat.com> ---
COMMIT: http://review.gluster.org/8979 committed in release-3.5 by Niels de Vos
(ndevos at redhat.com) 
------
commit 027d38cf6ba838cd015886207d3c265ef6446757
Author: Niels de Vos <ndevos at redhat.com>
Date:   Mon Oct 27 13:57:44 2014 +0100

    socket: disallow CBC cipher modes

    This is related to CVE-2014-3566 a.k.a. POODLE.

        http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

    POODLE is specific to CBC cipher modes in SSLv3.  Because there is no
    way to prevent SSLv3 fallback on a system with an unpatched version of
    OpenSSL, users of such systems can only be protected by disallowing CBC
    modes.  The default cipher-mode specification in our code has been
    changed accordingly.  Users can still set their own cipher modes if they
    wish.  To support them, the ssl-authz.t test script provides an example
    of how to combine the CBC exclusion with other criteria in a script.

    Cherry picked from commit 378a0a19d95e552220d71b13be685f4772c576cd:
    > Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
    > BUG: 1155328
    > Signed-off-by: Jeff Darcy <jdarcy at redhat.com>
    > Reviewed-on: http://review.gluster.org/8962
    > Tested-by: Gluster Build System <jenkins at build.gluster.com>
    > Reviewed-by: Kaleb KEITHLEY <kkeithle at redhat.com>
    > Reviewed-by: Vijay Bellur <vbellur at redhat.com>

    ssl-auth.t has been modified to not set the auth.ssl-allow option. This
    option is not available in the 3.5 branch.

    Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
    BUG: 1157661
    Signed-off-by: Niels de Vos <ndevos at redhat.com>
    Reviewed-on: http://review.gluster.org/8979
    Reviewed-by: Kaleb KEITHLEY <kkeithle at redhat.com>
    Reviewed-by: Jeff Darcy <jdarcy at redhat.com>
    Tested-by: Gluster Build System <jenkins at build.gluster.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=cCsZucVIcf&a=cc_unsubscribe

More information about the Bugs mailing list