Bug 14333

Summary: Force Web not to use SSLv3 to prevent Poodle attack
Product: Mageia Reporter: Reinout van Schouwen <reinout>
Component: SecurityAssignee: Olav Vitters <olav>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal Keywords: Triaged
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=738633
Whiteboard:
Source RPM: epiphany CVE:
Status comment:

Description Reinout van Schouwen 2014-10-20 09:41:35 CEST 
Description of problem:
See upstream bug https://bugzilla.gnome.org/show_bug.cgi?id=738633 and Mageia bug 14296. We either need to upgrade Web (and/or its libsoup dependency) if it's out in time for mga5 or wrap the Epiphany launcher in a bash script that specifically disables SSLv3 in GnuTLS.

Version-Release number of selected component (if applicable):
3.14.1


Reproducible: 

Steps to Reproduce:
Manuel Hiebel 2014-10-20 19:04:28 CEST

Keywords: (none) => Triaged
Assignee: bugsquad => olav

Comment 1 Olav Vitters 2014-10-21 19:49:53 CEST 
Shouldn't we patch gnutls, not Epiphany? I find the GNOME bug to be a bit unreadable. We could add someone workaround/script just for epiphany, but why not just change libsoup and avoid it entirely?
Olav Vitters 2014-10-21 19:52:53 CEST

Priority: Normal => release_blocker

Manuel Hiebel 2014-10-22 08:03:56 CEST

Component: RPM Packages => Security

Manuel Hiebel 2014-10-22 08:04:34 CEST

QA Contact: (none) => security

Comment 2 David Walser 2014-10-22 12:54:06 CEST 
There's nothing to change in GnuTLS, as it doesn't have a POODLE bug (as I explained on the mailing list).  The bug is more hype than substance anyway, so just waiting for the updated epiphany version that fixes the issue should be fine, once that's available.

Severity: major => normal
Priority: release_blocker => Normal

Comment 3 David Walser 2014-12-22 19:44:37 CET 
According to this report, this is now fixed in Cauldron:
https://bugs.mageia.org/show_bug.cgi?id=14859#c3

Status: NEW => RESOLVED
Resolution: (none) => FIXED