Details
Description
Poodle attack described here: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
More user friendly description here: http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
My thinking is we currently fix this for 3.0.1 and then create an MB to backport to 2.5.2 whenever that ships.
Suggested fix: remove SSL v3 support in the versions the server SSL socket supports.
Attachments
Issue Links
- blocks
-
MB-14772 3.1.0 Minor Release
- Resolved
For Gerrit Dashboard: MB-12359 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
42199,6 | MB-12359: Disable SSLv2 & SSLv3 due to the POODLE exploit | 3.0.1 | memcached | Status: MERGED | +2 | +1 |
42200,1 | Merge remote-tracking branch 'membase/3.0.1' | master | memcached | Status: MERGED | +2 | +1 |
50684,2 | MB-12359: Set memcached to follow 3.0 branch | master | manifest | Status: MERGED | +2 | +1 |
50688,2 | MB-12359: Disable SSLv[23] due to POODLE | 3.0 | memcached | Status: MERGED | +2 | +1 |
57904,2 | MB-12359: Disable SSLv[23] due to POODLE | 3.0.3-MP2 | memcached | Status: MERGED | +2 | +1 |