That package updated the Apache configuration to disable SSLv3. However, the package used "sed" to update /etc/apache2/mods-enabled/ssl.conf, which is a symlink to /etc/apache2/mods-available/ssl.conf. When sed operates on a symlinked file, it replaces the symlink with a copy of the file and then makes its modifications. The broken symlink would have caused issues with future package updates, so I've released a new version of the securityonion-web-page package that fixes the symlink and updates the original file properly.
The new package version is as follows:
securityonion-web-page - 20141015-0ubuntu0securityonion7
Issue 640: securityonion-web-page: previous update broke ssl symlink
The new packages are now available in our stable repo. Please see the following page for full update instructions:
|Updating using "sudo soup"|
|Verifying that the update fixed the ssl.conf hyperlink|
|Verifying that SSLProtocol excludes SSLv3|
|Restarting Apache using "sudo service apache2 restart"|
|Verifying that SSLv3 is disabled using "openssl s_client -connect localhost:443 -ssl3"|
Thanks to David Zawdie for testing!
If you have any questions or problems, please use our security-onion mailing list:
Need commercial support? Please see:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list:
We also need help testing new packages: