Project

General

Profile

Security - 4.2 0002 - SSLv3 (aka POODLE) vulnerability - CVE-2014-3566

Added by My Self over 6 years ago

As far as I read Replicant should be vulnerable to POODLE (= Padding Oracle On Downgraded Legacy Encryption):
http://www.theregister.co.uk/2014/10/13/androids_cyanogenmod_open_to_mitm_attacks/
with the following statement from CM:
http://www.cyanogenmod.org/blog/in-response-to-the-register-mitm-article

AFAIK there should be a patch (for CM 11.0):
https://github.com/CyanogenMod/android_external_apache-http/commit/f925f10b1feba92868fd4e8966592ec1bf755d67
respectively:
http://review.cyanogenmod.org/#/c/74106/1/src/org/apache/http/conn/ssl/AbstractVerifier.java
http://review.cyanogenmod.org/#/c/74114/

But the CM-10.2 branch still the vulnerable code is still present:
https://github.com/CyanogenMod/android_external_apache-http/blob/cm-10.2/src/org/apache/http/conn/ssl/AbstractVerifier.java#L228-244

Hope there are ways to fix that security issue in Replicant.

Thnaks for your time and enthusiasm!


Replies (1)

RE: Security - 4.2 0002 - SSLv3 (aka POODLE) vulnerability - CVE-2014-3566 - Added by Paul Kocialkowski over 6 years ago

Thanks for opening tickets about this, I'll merge the patches before making a new set of Replicant images.

    (1-1/1)