wok rev 17237

postfix, apache lighttpd-ssl, nginx: CVE-2014-3566
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sat Oct 18 14:11:33 2014 +0200 (2014-10-18)
parents cfd1497385a0
children 70fb5fbb6fde
files apache/receipt lighttpd-ssl/receipt nginx/receipt postfix/receipt
line diff
     1.1 --- a/apache/receipt	Sat Oct 18 13:24:48 2014 +0200
     1.2 +++ b/apache/receipt	Sat Oct 18 14:11:33 2014 +0200
     1.3 @@ -59,6 +59,11 @@
     1.4  		-e 's|#LoadModule ssl_module|LoadModule ssl_module|' \
     1.5  		$fs/etc/apache/httpd.conf $fs/etc/apache/extra/httpd-ssl.conf
     1.6  	echo "Include /etc/apache/conf.d" >> $fs/etc/apache/httpd.conf
     1.7 +	cat >> $fs/etc/apache/extra/httpd-ssl.conf <<EOT
     1.8 +
     1.9 +# Unsafe, see CVE-2014-3566 POODLE
    1.10 +SSLProtocol All -SSLv2 -SSLv3
    1.11 +EOT
    1.12  }
    1.13  
    1.14  # Pre and post install commands for Tazpkg.

     2.1 --- a/lighttpd-ssl/receipt	Sat Oct 18 13:24:48 2014 +0200
     2.2 +++ b/lighttpd-ssl/receipt	Sat Oct 18 14:11:33 2014 +0200
     2.3 @@ -76,6 +76,9 @@
     2.4  \$SERVER["socket"] == ":443" {
     2.5    protocol = "https://"
     2.6    ssl.engine    = "enable"
     2.7 +  # Unsafe, see CVE-2014-3566 POODLE
     2.8 +  ssl.use-sslv2 = "disable"
     2.9 +  ssl.use-sslv3 = "disable"
    2.10    ssl.pemfile   = "/etc/ssl/lighttpd/lighttpd.pem"
    2.11  }
    2.12  EOT

     3.1 --- a/nginx/receipt	Sat Oct 18 13:24:48 2014 +0200
     3.2 +++ b/nginx/receipt	Sat Oct 18 14:11:33 2014 +0200
     3.3 @@ -63,6 +63,8 @@
     3.4          rm -rf $fs/usr/html
     3.5          cp -a stuff/* $fs
     3.6          sed -i 's/#user  nobody;/user  www;/' $fs/etc/nginx/nginx.conf
     3.7 +	# SSLv3 is unsafe, see CVE-2014-3566 POODLE
     3.8 +        sed -i 's/ssl_protocols.* /ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/' $fs/etc/nginx/nginx.conf
     3.9  }
    3.10  
    3.11  # Pre and post install commands for Tazpkg.

     4.1 --- a/postfix/receipt	Sat Oct 18 13:24:48 2014 +0200
     4.2 +++ b/postfix/receipt	Sat Oct 18 14:11:33 2014 +0200
     4.3 @@ -60,6 +60,11 @@
     4.4  mynetworks = 127.0.0.0/8
     4.5  alias_maps = hash:/etc/postfix/aliases
     4.6  EOF
     4.7 +	cat >> $fs/etc/postfix/main.cf <<EOT
     4.8 +
     4.9 +# Unsafe, see CVE-2014-3566 POODLE
    4.10 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    4.11 +EOF
    4.12  	cp -a $stuff/etc $fs
    4.13  	cp -a $install/var $fs
    4.14  	mv $fs/etc/postfix/TLS_LICENSE $fs/usr/share/licenses/POSTFIX_TLS_LICENSE