Send CentOS-announce mailing list submissions to centos-announce at centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-request at centos.org You can reach the person managing the list at centos-announce-owner at centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. Koji/CBS infra and sslv3/Poodle important notification (Fabian Arrotin) ---------------------------------------------------------------------- Message: 1 Date: Wed, 15 Oct 2014 12:32:37 +0200 From: Fabian Arrotin <arrfab at centos.org> To: centos-announce at centos.org Subject: [CentOS-announce] Koji/CBS infra and sslv3/Poodle important notification Message-ID: <543E4D45.8070708 at centos.org> Content-Type: text/plain; charset=UTF-8 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, As most of you already know, there is an important SSLv3 vulnerability (CVE-2014-3566 - see https://access.redhat.com/articles/1232123) , known as Poodle. While it's easy to disable SSLv3 in the allowed Protocols at the server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache), some clients are still defaulting to SSLv3, and Koji does that. We currently have disabled SSLv3 on our cbs.centos.org koji instance, so if you're a cbs/koji user, please adapt your local koji package (local fix !) At the moment, there is no available upstream package, but the following patch has been tested by Fedora people too (and credits go to https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014976.html) ===================================================== - --- SSLCommon.py.orig 2014-10-15 11:42:54.747082029 +0200 +++ SSLCommon.py 2014-10-15 11:44:08.215257590 +0200 @@ -37,7 +37,8 @@ if f and not os.access(f, os.R_OK): raise StandardError, "%s does not exist or is not readable" % f - - ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only + #ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only + ctx = SSL.Context(SSL.TLSv1_METHOD) # TLSv1 only ctx.use_certificate_file(key_and_cert) ctx.use_privatekey_file(key_and_cert) ctx.load_client_ca(ca_cert) @@ -45,7 +46,8 @@ verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT ctx.set_verify(verify, our_verify) ctx.set_verify_depth(10) - - ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1) + #ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1) + ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3) return ctx ===================================================== We'll keep you informed about possible upstream koji packages that would default to at least TLSv1 If you encounter a problem, feel free to drop into #centos-devel channel on irc.freenode.net and have a chat with us on behalf of the Infra team, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQ+TUUACgkQnVkHo1a+xU4JyQCfefp2h7yRdmljBqRc+M76jPTf z7wAn3dOkaNPNfEnV0pxWDFX7BDDqKuY =lxsg -----END PGP SIGNATURE----- ------------------------------ _______________________________________________ CentOS-announce mailing list CentOS-announce at centos.org http://lists.centos.org/mailman/listinfo/centos-announce End of CentOS-announce Digest, Vol 116, Issue 8 ***********************************************