Project

General

Profile

Actions
Copy link

Issue #1029

closed

SSLv3 (aka POODLE) vulnerability - CVE-2014-3566

Added by My Self over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
High
Assignee:
Paul Kocialkowski
Category:
Security
Target version:
Any version
Start date:
11/06/2014
Due date:
% Done:

0%

Estimated time:
Resolution:
fixed
Device:
Grant:
Type of work:

Description

I hope it's a good idea to open a bug ticket about the forum topic: http://redmine.replicant.us/boards/9/topics/6909

Summary
Replicant should be vulnerable to POODLE (= Padding Oracle On Downgraded Legacy Encryption).
CM specific informations:
http://www.theregister.co.uk/2014/10/13/androids_cyanogenmod_open_to_mitm_attacks/
http://www.cyanogenmod.org/blog/in-response-to-the-register-mitm-article

Seems CM 11.0 got a patch:
https://github.com/CyanogenMod/android_external_apache-http/commit/f925f10b1feba92868fd4e8966592ec1bf755d67
respectively:
http://review.cyanogenmod.org/#/c/74106/1/src/org/apache/http/conn/ssl/AbstractVerifier.java
http://review.cyanogenmod.org/#/c/74114/

In CM 10.2 branch, the vulnerable code still seems present:
https://github.com/CyanogenMod/android_external_apache-http/blob/cm-10.2/src/org/apache/http/conn/ssl/AbstractVerifier.java#L228-244

Hope there is an easy way to fix that behavior in Replicant.

Actions
Copy link

Also available in: Atom PDF