[Secure-testing-team] Bug#765928: chromium-browser: Please disable SSLv3
Dominic Hargreaves
dom at earth.li
Sun Oct 19 10:14:57 UTC 2014
Package: chromium-browser
Version: 37.0.2062.120-1~deb7u1
Severity: important
Tags: security
The well-publicised POODLE vulnerability in SSLv3 has led to general
recommendations that SSLv3 should be disabled at both the server and
client level.
In order to disable SSLv3 in Chromium, one currently has to invoke it
with --ssl-version-min=tls1 which is not very user-friendly. I think
that disabling this by default in a DSA update is appropriate here.
This change has already been made in Iceweasel as of 31.2.0esr-2~deb7u1.
[1] <https://www.ssllabs.com/ssltest/viewMyClient.html>
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages chromium-browser depends on:
ii chromium 37.0.2062.120-1~deb7u1
chromium-browser recommends no packages.
chromium-browser suggests no packages.
-- no debconf information
-- debsums errors found:
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 69365 package 'funny-manpages':
missing architecture
dpkg-divert: warning: parsing file '/var/lib/dpkg/status' near line 69365 package 'funny-manpages':
missing architecture
More information about the Secure-testing-team
mailing list