[Secure-testing-team] Bug#765928: chromium-browser: Please disable SSLv3

Dominic Hargreaves dom at earth.li
Sun Oct 19 10:14:57 UTC 2014


Package: chromium-browser
Version: 37.0.2062.120-1~deb7u1
Severity: important
Tags: security

The well-publicised POODLE vulnerability in SSLv3 has led to general
recommendations that SSLv3 should be disabled at both the server and
client level.

In order to disable SSLv3 in Chromium, one currently has to invoke it
with --ssl-version-min=tls1 which is not very user-friendly. I think
that disabling this by default in a DSA update is appropriate here.

This change has already been made in Iceweasel as of 31.2.0esr-2~deb7u1.

[1] <https://www.ssllabs.com/ssltest/viewMyClient.html>

-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages chromium-browser depends on:
ii  chromium  37.0.2062.120-1~deb7u1

chromium-browser recommends no packages.

chromium-browser suggests no packages.

-- no debconf information

-- debsums errors found:
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 69365 package 'funny-manpages':
 missing architecture
dpkg-divert: warning: parsing file '/var/lib/dpkg/status' near line 69365 package 'funny-manpages':
 missing architecture



More information about the Secure-testing-team mailing list