ZNC SSL listeners are vulnerable to POODLE.

Discussion in #ubuntu-hardened with mdeslaur has made a point: We don't wish to disable SSLv3 in the stable versions currently in the packages.

There are upstream code reviews in progress for an option to disable SSL protocols in the configuration file, and that may be an acceptable alternative change.

After discussion with the Security team, and Upstream ZNC rejecting the changes to incorporate the ability to selectively disable protocols, this is not going to be fixable in any of the stable releases (Precise, Trusty, Utopic).

Therefore, the current path of approach is going to be putting the "Disable SSLv2/SSLv3" code change into Vivid, and leave the rest alone. (Marking Precise, Trusty, Utopic as "Won't Fix" accordingly, per my discussion with mdeslaur in #ubuntu-hardened on this issue.)

Further changes and updates. Upstream ZNC has accepted commits to accept SSL protocol configuration to select the protocols you want to support. https://github.com/znc/znc/pull/728/files

This was facilitated by commits to the CSocket program/library that ZNC uses and includes with itself.

The commit contains four git commits:
(1) Update CSocket.
(2) Fix the non-SSL builds
(3) Disable SSL Compression (to mitigate CRIME vulnerability)
(4) Add a configuration option to define SSL protocols that are supported.

I discussed this with mdeslaur. Adding the configuration option to define SSL protocols may be more feasible to include than to outright disable the SSL protocol for SSLv3 on its own. This would also potentially apply as a valid SRU to older releases, thereby making this security issue a null point. To the end that this could be a possible SRU, I'm marking everything as "Confirmed" rather than "Won't Fix", pending a discussion with the SRU team ahead of uploading debdiffs.

More updates.

Unfortunately, it's going to be pretty invasive to try and fix this in pre-1.0 versions of the ZNC package, because the CSocket changes won't apply cleanly, and I am not familiar enough to make the changes to make it work. As well, upstream in Debian, their security team representative, over emails, has stated that it's too invasive for them to include in anything other than 1.4-1 which is in Wheezy and Sid.

Because I've failed to get this to build in anything before ZNC 1.0, I'm going to "Won't Fix" this for Precise, which has 0.206.

I'm still working on Trusty, Utopic, and Vivid, but with Vivid I'm more likely to request a merge or sync once Debian updates with the changes to enable SSL protocol selection.

ZNC 1.6.0 fixes this and FREAK which wasn't known issue at that time. Currently all ZNC versions older than 1.6.0 are vulnerable to FREAK in addition to POODLE.

According to http://packages.ubuntu.com/vivid/znc Vivid has ZNC 1.6.0 and this issue and FREAK are fixed in it.

Confirmed comment #7. this slipped my radar. Marking vivid fixed as a result.

Mikaela: See https://bugs.launchpad.net/ubuntu/+source/znc/+bug/1444943 for the (start) of work to get ZNC 1.6.0 into trusty-backports and utopic-backports. While this doesn't fully address the Security bug, it does provide the 1.6.0 functionality via the backports repository.