[Secure-testing-commits] r29657 - data/CVE

Kurt Roeckx kroeckx at moszumanska.debian.org
Sun Oct 26 11:47:50 UTC 2014 

Author: kroeckx
Date: 2014-10-26 11:47:50 +0000 (Sun, 26 Oct 2014)
New Revision: 29657

Modified:
   data/CVE/list
Log:
CVE-2014-3566/POODLE: Add all ssl implementations, webservers and webbrowsers

Some websersers and browsers might not be affected in testing/unstable because
they use libssl1.0.0 which disabled SSL v3.0, but they're still affected in
other suites.

For webbrowsers I've tried to look at those that support javascript since as far
as I know that's the only way to exploit it.


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-10-26 09:23:50 UTC (rev 29656)
+++ data/CVE/list	2014-10-26 11:47:50 UTC (rev 29657)
@@ -11375,14 +11375,50 @@
 	{DSA-3053-1}
 	- openssl 1.0.1j-1
 CVE-2014-3566 (The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other ...)
+	- aolserver4-nsopenssl <unfixed>
+	- apache2 2.4.10-6
+	- arora <unfixed>
+	- bouncycastle <unfixed>
+	- chromium <unfixed>
+	- chromium-browser <unfixed>
+	- conkeror <unfixed>
+	- cyassl <unfixed>
+	- dwb <unfixed>
 	- openssl 1.0.1j-1
-	- nss <unfixed>
+	- galeon <unfixed>
 	- gnutls26 <unfixed>
 	- gnutls28 <unfixed>
-	[wheezy] - iceweasel <unfixed>
+	- kazehakase <unfixed>
+	[squeeze] - kdebase <unfixed>
+	- kde-baseapps <unfixed>
+	- epiphany-browser <unfixed>
+	- fossil <unfixed>
+	- gatling <unfixed>
+	- haskell-tls <unfixed>
+	- icedove <unfixed>
+	[squeeze] - icedove <end-of-life>
+	- iceweasel <unfixed>
 	[squeeze] - iceweasel <end-of-life>
-	[wheezy] - icedove <unfixed>
-	[squeeze] - icedove <end-of-life>
+	- konqueror <unfixed>
+	- libtomcatjss-java <unfixed>
+	- lighttpd <unfixed>
+	- matrixssl <unfixed>
+	- midori <unfixed>
+	- mini-httpd <unfixed>
+	- netsurf <unfixed>
+	- nginx <unfixed>
+	- nss <unfixed>
+	- ocsigenserver <unfixed>
+	- openjdk-6 <unfixed>
+	- openjdk-7 <unfixed>
+	- openjdk-8 <unfixed>
+	- polarssl <unfixed>
+	- python-tlslite <unfixed>
+	- surf <unfixed>
+	- tntnet <unfixed>
+	- uzbl <unfixed>
+	- webfs <unfixed>
+	- yaws <unfixed>
 	NOTE: https://www.openssl.org/~bodo/ssl-poodle.pdf
 	NOTE: http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
 	NOTE: This is only about the SSLv3 CBC padding, not about any downgrade attack or support for the fallback SCSV

More information about the Secure-testing-commits mailing list