Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
Message ID: 67709     Entry time: Fri Oct 24 12:51:00 2014
Icon: Warning  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Bug fix  OS: All  ELOG Version: ALL 
Subject: POODLE vulnerability 

IMPORTANT SECURITY ANNOUNCEMENT

Recently the POODLE vulnerability has been announced: http://en.wikipedia.org/wiki/POODLE 

ELOG is prone to this vulnerability if it runs directly the SSL protocol and can be accessed from the internet. If ELOG runs behind an Apache proxy, and the Apache server has been correctly configured (disabled the SSLv23 protocols), ELOG is safe as well.

To fix this vulnerability, ELOG needs to be recompiled after the attached patch has been applied. This prohibits ELOG to fallback to the insecure SSLv2 & v3 protocols and only use the safe TLSv1 protocol.

If you do not know how to recompile ELOG, please do not run ELOG directly accessible from the internet until the next binary release has been published.

/Stefan Ritt

Attachment 1: elogd.patch  654 Bytes  | Hide | Hide all 
diff --git a/src/elogd.c b/src/elogd.c
index fac34f8..13c619f 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -2342,7 +2342,7 @@ int ssl_connect(int sock, SSL ** ssl_con)
    SSL_library_init();
    SSL_load_error_strings();
 
-   meth = (SSL_METHOD *) SSLv23_method();
+   meth = (SSL_METHOD *) TLSv1_method();
    ctx = SSL_CTX_new(meth);
 
    *ssl_con = SSL_new(ctx);
@@ -28902,7 +28902,7 @@ SSL_CTX *init_ssl(void)
    SSL_library_init();
    SSL_load_error_strings();
 
-   meth = (SSL_METHOD *) SSLv23_method();
+   meth = (SSL_METHOD *) TLSv1_method();
    ctx = SSL_CTX_new(meth);
 
    if (getcfg("global", "SSL Passphrase", pwd, sizeof(pwd))) {
ELOG V3.1.5-fe60aaf