[asterisk-bugs] [JIRA] (ASTERISK-24425) [patch] jabber/xmpp to use TLS instead of SSLv3, security fix POODLE (CVE-2014-3566)

George Joseph (JIRA) noreply at issues.asterisk.org
Wed Aug 2 10:16:15 CDT 2017


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

George Joseph updated ASTERISK-24425:
-------------------------------------

    Target Release Version/s: 15.0.0

> [patch] jabber/xmpp to use TLS instead of SSLv3, security fix POODLE (CVE-2014-3566)
> ------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-24425
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24425
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_jabber, Resources/res_xmpp
>    Affects Versions: SVN, 1.8.31.0, 11.13.0
>         Environment: AstLinux with Prosody 0.9.6
>            Reporter: abelbeck
>              Labels: Security
>      Target Release: 1.8.31.1, 1.8.32.0, 11.13.1, 11.14.0, 11.24.0, 12.6.1, 12.7.0, 13.0.0-beta3, 13.12.0, 14.0.0, 14.1.0, 15.0.0
>
>         Attachments: AST-2014-011-11.diff, AST-2014-011-12.diff, AST-2014-011-1.8.diff, asterisk-11-jabber-xmpp-tls.patch, asterisk-1.8-jabber-tls.patch
>
>
> Asterisk's Jabber and XMPP implementations strictly use SSLv3, which has the POODLE (CVE-2014-3566) security issue.
> The attached patches force a TLS method instead of SSLv3.
> Full disclosure, this is my first forte into OpenSSL specifics and my knowledge is all from online research.  There may be a better way.
> This works in my limited testing.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list