Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in RHUI 2.0 and 2.1
Issue
- Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Red Hat Update Infrastructure
- How to avoid impact to RHUI from CVE-2014-3566?
- This issue is seen because a part of RHUA uses SSL 3.0 when communicating to the CDN to fetch listing files.
- The following error message appears in the /root/.rhui/rhui.log file upon such failure:
Unexpected error caught at the shell level
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 86, in safe_listen
self.listen(clear=first_run)
File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 112, in listen
Shell.listen(self)
File "/usr/lib/python2.6/site-packages/rhui/common/shell.py", line 186, in listen
item.func(*args, **item.kwargs)
File "/usr/lib/python2.6/site-packages/rhui/tools/screens/repo.py", line 128, in add
self.candidate_repo_manager.translate_entitlements()
File "/usr/lib/python2.6/site-packages/rhui/tools/repo_candidates.py", line 72, in translate_entitlements
mappings = self.cdn_api.expand_variables(e.download_url, cert.cert_filename)
File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 71, in expand_variables
mappings = self._translate_next_variable({'' : url}, cert_filename)
File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 104, in _translate_next_variable
substitutions = self._request_get(listing_url, cert_filename).split('\n')
File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 156, in _request_get
server = self._server(cert_filename)
File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 223, in _server
server.connect()
File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
self.sock.connect((self.host, self.port))
File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure
Environment
- Red Hat Update Infrastructure 2.0
- Red Hat Update Infrastructure 2.1
- rh-rhui-tools
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.