[Bug 1197884] Re: apache2.2 SSL has no forward-secrecy: need ECDHE keys
Nestor Urquiza
nestor.urquiza at gmail.com
Thu Nov 28 02:51:08 UTC 2013
I thought this request felt under the below wording in
https://wiki.ubuntu.com/StableReleaseUpdates :
<quote>
Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include:
Bugs which may, under realistic circumstances, directly cause a security vulnerability. These are done by the security team and are documented at SecurityTeam/UpdateProcedures.
...
</quote>
I believe this threat is very realistic ( http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html ). I guess the metrics to determine what warrants an exception are up to you for sure but as far as I can tell the privacy cost of this vulnerability justifies the upgrade for apache servers *only* or the usage of a PPA like https://launchpad.net/~derek-morton/+archive/apache-2.4 if you decide to trust it or simply building apache 2.4 from scratch. If the server is not running apache clearly there is nothing to be worry about.
Thanks for the statement because at least the wait is over.
Best,
- Nestor
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+subscriptions
More information about the Ubuntu-server-bugs
mailing list