Categories
Windows

Memorandum #7.

同一記事の日本語版
Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.