#1181 Fedora still vulnerable to BEAST

Created 3 years ago by sparks

= phenomenon =
It was recently reported that NSS was not protecting users against [https://en.wikipedia.org/wiki/BEAST_%28computer_security%29#BEAST_attack BEAST] attacks (the fix was backed out). This is affecting every user of Fedora using SSL and TLSv1.0 in any connection that uses NSS.

= reason =
The reason provided in the [https://bugzilla.redhat.com/show_bug.cgi?id=1005611 ticket] was that it broke some programs (pidgin-sipe was the one example provided) when the fix was inserted.

= recommendation =
It is recommended that the fix be reapplied to NSS in all versions of Fedora and that any program that breaks be patched to roll back the fix as per the [https://bugzilla.redhat.com/show_bug.cgi?id=1005611#c5 instructions provided in the ticket].

  • AGREED: Apply BEAST patches on F19 (+6,0,-0) and F20 (+7, 0, -0)
    (sgallagh, 19:48:09)
  • sparks to announce on fedora-devel (pjones, 19:48:20)

AGREED: close ticket now that nss is rebuilt. Follow up with other related items on list.

Login to comment on this ticket.