Univention Bugzilla – Bug 36172
gnutls: SSL3 protocol attack (3.2)
Last modified: 2014-11-04 18:22:51 CET
+++ This bug was initially created as a clone of Bug #36171 +++ +++ This bug was initially created as a clone of Bug #36170 +++ CVE-2014-3566 This will requires fixes in openssl, gnutls and nss. Firefox also needs a fix since it uses a local nss copy. (There are additional Firefox issues, so I'll file a separate bug). http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html https://www.openssl.org/~bodo/ssl-poodle.pdf
We don't need to update gnutls; disabling SSL3 is too intrusive for UCS 3.2 and all TLS/SSL clients (besides web browsers, which perform a special downgrade path) support TLS and will use that during the SSL/TLS handshake.