Ubuntu
pound package

Patching pound for PCI compliance (protect against POODLE)?

Asked by Clifford Meece

I currently use pound from the trusty package archives to terminate SSSL (used with a varnish reverse proxy) but it appears to be vulnerable to the Poodle attack. Disabling sslv3 is the recommendation, but that cannot be done with the current version without also disabling lots of ciphers that are used by TLS.

Some discussion of this is here:

http://serverfault.com/questions/639242/poodle-ciphers-sslv3-protocol-or-cipher-suite-mismatch

In that thread, there is a link to a repository that has a commonly used (it seems) patch:

https://github.com/goochjj/pound/tree/pcidss/v2.6

I'd rather not compile my own version. Is it possible to get this patch included in the pound package in the archives, or does anyone know of someone who maintains an ubuntu package that includes the patch (before I go and roll my own)?

Thanks,

Cliff

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu pound Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Clifford Meece (clifford-meece) said : 		#1

hmm, my first search didn't turn this up for some reason, but perhaps this is an option:

https://launchpad.net/~uwej711/+archive/ubuntu/pound26pcidss

Revision history for this message
Clifford Meece (clifford-meece) said : 		#2

well, maybe spoke too soon. That appears to be for 12.04....

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

I suggest you report a bug. Mark it as a security bug

Revision history for this message
Mike Slinn (mslinn) said : 		#4

I'd like to install a reasonably secure version of Pound for Ubuntu 14.04. This version seems to be the best choice:
https://code.launchpad.net/~ubuntu-branches/ubuntu/vivid/pound/vivid-updates

How can I install it using apt-get or dpkg? Yes, I could build it, but I'd like to subscribe to updates when available.

If there is another way to get Pound 2.7f or later via apt-get I'd happily do that.

Thanks,
Mike

Can you help with this problem?

Provide an answer of your own, or ask Clifford Meece for more information if necessary.

To post a message you must log in.