#fedora-meeting log

13:00:39 <Sparks_too> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings
13:00:39 <zodbot> Meeting started Thu Oct 16 13:00:39 2014 UTC.  The chair is Sparks_too. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:39 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
13:00:43 <Sparks_too> #meetingname Fedora Security Team
13:00:43 <zodbot> The meeting name has been set to 'fedora_security_team'
13:00:45 <Sparks_too> #topic Roll Call
13:00:47 * Sparks_too 
13:00:56 <d-caf> Here
13:02:44 <bvincent> .fas bvinecnt
13:02:45 <zodbot> bvincent: 'bvinecnt' Not Found!
13:02:46 <bvincent> .fas bvincent
13:02:48 <zodbot> bvincent: bvincent 'Brandon Vincent' <Brandon.Vincent@asu.edu>
13:07:18 <Sparks_too> Well, looks like the same crew at a new time.
13:09:05 * jtaylor90 is here
13:09:40 <Sparks_too> Okay, lets get started.
13:09:46 <Sparks_too> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better"
13:10:00 <Sparks_too> #topic SSL 3.0 Vulnerability
13:10:11 * Sparks_too is going to deviate a bit from the agenda.
13:10:38 <bvincent> An hour ago, Tomas Mraz started an OpenSSL 1.0.1j build.
13:10:39 <Sparks_too> The vulnerability of the week, it would seem, is POODLE.
13:10:59 <Sparks_too> bvincent: Yes.  There will likely be other patches coming.
13:11:16 <Sparks_too> The biggest problem is that SSL 3.0 is fifteen years old.  It's time for it to go.
13:11:28 <bvincent> Apparently, even the nossl build option for OpenSSL was broken.
13:11:34 <Sparks_too> Red Hat's official message is "retire SSL 3.0 as soon as you can".
13:11:36 <bvincent> *nossl3.0
13:12:01 <d-caf> We've been disabling it on everything we can, more than happy to do it (other than the labour)
13:12:18 <Sparks_too> We've already seen lots of web servers across the Internet disabling SSL 3.0 so that's good.
13:12:40 <bvincent> Will the builds in Fedora be dropping SSL 3.0, or relying on TLS_FALLBACK_SCSV?
13:12:41 <d-caf> Though dovecot 1.x is a thorn in our side (RHEL 5.x)
13:13:30 <d-caf> bvincent: Hopefully dropping and providing TLS_FALLBACK_SCSV
13:13:39 <Sparks_too> d-caf: Yes, I'm running 2.0 and it's a problem.  The ability to change the protocols didn't come about until 2.1.  I've got a message in with the packager to see if we can backport that "feature" into what's currently running on all of our stuff.
13:13:50 <bvincent> For RHEL 5.x, which I think supports TLS 1.0 at best - TLS_FALLBACK_SCSV makes sense.
13:14:22 <Sparks_too> d-caf: the Dovecot stuff also affects RHEL-6 and 4, in addtion to 5.
13:14:24 <d-caf> TLS_FALLBACK_SCSV also helps protect against TLS1.2 to TLS1.0 drops i believe
13:14:28 * jsmith joins a few minutes late
13:14:38 <Sparks_too> jsmith: Welcome
13:15:03 <d-caf> Sparks_too: Yes, I've seen those as well
13:15:10 <Sparks_too> In my $dayjob we've been putting together a list of ways to remove SSL 3.0 from our products
13:15:16 <Sparks_too> #link https://access.redhat.com/articles/1232123
13:15:32 <Sparks_too> We might want to point to that or create our own on the wiki
13:15:34 <bvincent> d-caf: It does. It never makes sense to drop the protocol to a lower version.
13:15:36 <thoger> don't forget that TLS_FALLBACK_SCSV only protects applications that do unsafe fallback *and* actually are modified to use TLS_FALLBACK_SCSV
13:16:16 <bvincent> It sounds like most client applications had support for TLS_FALLBACK_SCSV. It's just now reaching OpenSSL.
13:17:04 <thoger> there are few apps that do re-connect downgrade dance, so "most" sounds misleading
13:17:10 <bvincent> Actually, scrap that.
13:17:20 <bvincent> Chrome has only suppoted it since Feb.
13:17:27 <bvincent> Firefox, Opera, and IE don't support it.
13:17:52 <Sparks_too> FF is removing support for SSL 3.0 in their next version.
13:18:11 <bvincent> That will solve the problem the proper way.
13:19:35 <bvincent> Does anyone know what internet browser had SSL 3.0 as its highest suite? (e.g. IE 6 + XP or something like that)
13:20:07 <Sparks_too> Yeah, I think IE 6 doesn't support TLS
13:20:18 <bvincent> Even more of a reason to drop support.
13:21:27 <Sparks_too> Yep.
13:21:58 <Sparks_too> #link http://fedoramagazine.org/what-you-need-to-know-about-the-sslv3-poodle-flaw-cve-2014-3566/
13:22:01 <d-caf> I believe there were some issues with Java 6 prior to update 45 or something
13:22:09 <Sparks_too> #link http://fedoramagazine.org/more-cve-2014-3566-information-on-red-hats-security-blog/
13:22:16 <d-caf> regarding dropping SSLv3
13:23:13 <Sparks_too> d-caf: Likely.  Java stuff doesn't seem to go away that easily.
13:24:07 <Sparks_too> Okay, moving on.
13:24:21 <Sparks_too> #topic Outstanding BZ Tickets
13:24:27 <Sparks_too> #info Wednesday's numbers: Critical 4, Important 51, Moderate 352, Low 125, Total 532, Trend -1
13:24:38 <Sparks_too> #info Current tickets owned: 171 (~32%)
13:24:47 <Sparks_too> #info Tickets closed: 115
13:24:59 <Sparks_too> Any tickets that need to be discussed?
13:25:52 <d-caf> Ticket 1145880 got closed as not a bug, I still need to review it more deeply
13:26:07 <Sparks_too> Okay
13:26:08 <d-caf> #link https://bugzilla.redhat.com/show_bug.cgi?id=1145880
13:26:59 <Sparks_too> #topic Open floor discussion/questions/comments
13:27:04 <Sparks_too> Anyone have anything?
13:27:31 <d-caf> Not here
13:27:45 <jtaylor90> all set here
13:28:12 <Sparks_too> Okay, we'll lets get back to work!  Thanks everyone for coming.
13:28:20 <d-caf> thanks
13:28:27 <Sparks_too> #endmeeting