Is there a patch needed for the Magento x-Payments connector?
-atm
QUOTE=ambal]Hi Everyone,
As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.
The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability
Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.
What needs to be done:
1) X-Cart 4 users - apply
Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.
Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list
They have been updated today to have the patch out of the box.
X-Cart 5 users - install a new version of X-Payments connector as soon as we release it or remove this line of code:
PHP Code:
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
in file of X-Cart 5
classes/XLite/Module/CDev/XPaymentsConnector/Core/XPaymentsClient.php
UPD: X-Cart 5 patch -
Attachment 3957
2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.
If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.
And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g[/quote]