[OE-core] [daisy][PATCH] python: Building without SSLv3 support , The POODLE Bites Again

Paul Eggleton paul.eggleton at linux.intel.com
Thu Dec 11 11:42:05 UTC 2014 

On Tuesday 09 December 2014 14:38:53 Sona Sarmadi wrote:
> > I think we should apply the patch now anyway; we'll want to know that it
> > works for backports to the stable branch(es), and in any case the upgrade
> > to 2.7.9 is not going to be a straightforward task based upon my earlier
> > attempt to upgrade to 2.7.6 (the current state of which is still in
> > paule/python276-wip in poky-contrib).
> 
> I have applied this patch in master and have run some tests to verify that 
> Sslv3 is really disabled.  It seems that SSLv3 still is enabled. I am
> running more tests to find out why SSLv3 is not disabled and what more
> needs to be done. 
> SSLv2 is disabled already, if we manage to disable SSLV3 then I guess we
> need to disable SSLv23 as well ??!

I'm not sure of that. It seems that SSLv23 is the default even in 2.7.9. I'm 
unclear on whether that is an issue or not based on what I can find.

> I think we should consider (start looking at upgrading to python 2.7.9 in
> master), to address this issue. I feel uncomfortable with this Debian
> patch. It seems that  we need to do more manual changes in order to make
> this work. I will soon update the bug 7015 with my test results. 

We definitely do need to do this upgrade, yes; but we'd also like to have a fix 
for older versions too. FWIW I've just entered an enhancement bug to cover 
this for master; at the moment I'm not sure who will end up doing it but I 
thought we should have something to track it since it's not a trivial piece of 
work:

  https://bugzilla.yoctoproject.org/show_bug.cgi?id=7059

(Richard is nominally the maintainer of the recipe, but I suspect he has his 
hands pretty much full with everything else that's going on.)
 
> While testing this issue a new vulnerability was released yesterday :
> Incorrect TLS padding may be accepted when terminating TLS 1.x CBC cipher
> connections. (CVE-2014-8730)
> 
> https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html 
> https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

Yes, they never stop coming :(

>From my digging though I can't seem to find anything specifying any versions of 
open source software that need fixing for this new vulnerability, only 
proprietary software. Did you find anything?

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the Openembedded-core mailing list