Thread: [mod-security-packagers] Important: mlogc and SSLv3
Brought to you by:
victorhora,
zimmerletw
From: Felipe C. <FC...@tr...> - 2014-11-03 20:07:30
|
Hi, For those whom are using or distributing mlogc, please apply this patch: https://gist.github.com/zimmerle/31eae2612c3719c5d1b1 This patch may be necessary, depending on your setup, to allow mlogc to connects to TLS1.2 servers. Before this patch it was trying SSLv3. This patch is already applied to our git repository. Use SSLv3 is not a good idea as explained in the CVE-2014-3566 [1]. Notice that mlogc uses libcurl which will disable SSLv3 support as of: 7.39.0 [2]. If you didn't disabled the SSLv3 support in your web server, which mlogc is connecting to, it is also a good idea. [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 [2] http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |