This is the official release announcement for IPFire 2.15 – Core Update 85. It comes with security fixes for the SSL issue known as POODLE, which was recently discovered.
As there is no fix for POODLE, the OpenSSL developers applied a workaround called “Signaling Cipher Suite Value” (SCSV) that prevents protocol downgrade attacks (the downgrade dance) on the TLS protocol. More information about this mechanism can be found in the IETF draft and more about POODLE can be found in the POODLE whitepaper.
As a precaution we disabled SSL 3.0 for the web administration interface. Accessing that will require you to use a recent browser and operating system that is able to use TLS 1.0 or a more recent version. We already made some experiences with this as our web and mail servers do not allow to use SSL 3.0 since a couple of weeks and there were absolutely no reports from people who are not able to access our websites.
We recommend to install this update as soon as possible. After doing so, your system will need to reboot.
Please support the IPFire project with your donation. Your help is a foundation of this project and very much appreciated by all contributors.
Published by Michael Tremer, October 19, 2014 at 4:00 pm