| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
#61
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
The list of patches available: remove_ssl3-2014-10-30_4.2.3.tgz remove_ssl3-2014-10-30_4.3.2.tgz remove_ssl3-2014-10-30_4.4.5.tgz remove_ssl3-2014-10-30_4.5.0.tgz remove_ssl3-2014-10-30_4.5.1.tgz remove_ssl3-2014-10-30_4.5.2.tgz remove_ssl3-2014-10-30_4.5.3.tgz remove_ssl3-2014-10-30_4.5.4.tgz remove_ssl3-2014-10-30_4.5.5.tgz remove_ssl3-2014-10-30_4.6.0.tgz remove_ssl3-2014-10-30_4.6.1.tgz remove_ssl3-2014-10-30_4.6.2.tgz remove_ssl3-2014-10-30_4.6.3.tgz remove_ssl3-2014-10-30_4.6.4.tgz The users of X-Cart 4.3.0 and 4.3.1 should use the patch for v.4.3.2. The users of X-Cart 4.4.0 - 4.4.4 should use the patch for v.4.4.5 (it won't apply automatically, so you have to do it manually). Most probably you will be able to apply the patch as is. But little patch adaptation for this version may be required.
__________________
X-Cart team Last edited by xplorer : 12-02-2014 at 04:25 AM. |
|||||||||
#62
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
Hi Ksenia, Vladimir, and others, To make 100% sure I am not misinterpreting the information provided, If I have an XCart Version 4.0.17, which is earlier than Version 4.2.2 you quoted, then I do not need to do anything to my XCart, correct? I see another member in this thread is on V4.1.9 and asking the same questions, and I'm sure there are others either reading this thread, or about to when their cart payments stop working. If this is the case, then I get my host provider to disable the SSLv3 protocol on my server, correct? Thanks in advance, Cheers Don...
__________________
Don McKenzie http://www.dontronics-shop.com/ X-Cart 4.0.17 [Unix] █ Hosting by www.totalserversolutions.com The very best home for your X-Cart. (was ewdhosting.com) |
|||||||
#63
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
1) I also have many LiteCommerce ASPE 2.1 shopcarts. Will LiteCommerce carts still work if the server no longer allows sslv3?
(None of the LC carts use payment gateways) 2) Are there patches for the LiteCommerce ASPE 2.1 files?
__________________
Jim - X-cart Gold 4.4.5 |
|||||||||
#64
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
I'm using 4.3.2.
My hosting company has taken care of SSLv3. I've downloaded the 4.3.2 patch. Am stuck on Step 4. I cannot find any file dirs called /include/func or /payment. I have a /includes/functions/ but the files to replace are not in these dirs. What is the path to /include/func if it is not at the xcart's root level?
__________________
Xcart Gold 4.3.2 |
|||||||
#65
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
aim-server[~/tmp]$ wget http://www.gl.....a.com/xcart/includes/functions --2014-10-31 09:38:07-- http://www.gl.....a.com/xcart/includes/functions Resolving www.gl.....a.com (www.gl.....a.com)... 66.230.196.148 Connecting to www.gl.....a.com (www.gl.....a.com)|66.230.196.148|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-10-31 09:38:08 ERROR 404: Not Found. aim-server[~/tmp]$ wget http://www.gl.....a.com/xcart/includes/ --2014-10-31 09:38:17-- http://www.gl.....a.com/xcart/includes/ Resolving www.gl.....a.com (www.gl.....a.com)... 66.230.196.148 Connecting to www.gl.....a.com (www.gl.....a.com)|66.230.196.148|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-10-31 09:38:18 ERROR 404: Not Found. aim-server[~/tmp]$ wget http://www.gl.....a.com/xcart/include/func --2014-10-31 09:38:23-- http://www.gl.....a.com/xcart/include/func Resolving www.gl.....a.com (www.gl.....a.com)... 66.230.196.148 Connecting to www.gl.....a.com (www.gl.....a.com)|66.230.196.148|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2014-10-31 09:38:24 ERROR 403: Forbidden. aim-server[~/tmp]$ wget http://www.gl.....a.com/xcart/include --2014-10-31 09:38:28-- http://www.gl.....a.com/xcart/include Resolving www.gl.....a.com (www.gl.....a.com)... 66.230.196.148 Connecting to www.gl.....a.com (www.gl.....a.com)|66.230.196.148|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2014-10-31 09:38:28 ERROR 403: Forbidden. The correct dirs are http://www.gl.....a.com/xcart/include http://www.gl.....a.com/xcart/include/func
__________________
Sincerely yours, Ildar Amankulov Head of Maintenance group |
|||||||
|
#66
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
You do not need to do anything for your XCart Version 4.0.17
__________________
Sincerely yours, Ildar Amankulov Head of Maintenance group |
|||||||
#67
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
Thanks very much Ildar. I'll go ahead and get the SSL dropped on my server and get back to this thread with the results. Cheers Don...
__________________
Don McKenzie http://www.dontronics-shop.com/ X-Cart 4.0.17 [Unix] █ Hosting by www.totalserversolutions.com The very best home for your X-Cart. (was ewdhosting.com) |
|||||||
#68
|
|||||||||
|
|||||||||
Re: POODLE vulnerability in SSLv3
Quote:
There are no patches for LC2 as it doesn't force SSLv3 out of the box. However, your website has a lot of custom mods, so it makes sense to contact our support staff and let them check it.
__________________
Alex Solovev, Qualiteam --- User manual Video tutorials X-Cart FAQ You are welcome to press "Thanks" button if you find this post useful Click here to learn how to apply patches X-Cart Extensions |
|||||||||
#69
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
Just contacted my web host, and received this reply. Please advise. Cheers Don... ========================================== I would recommend you to contact X-cart to confirm about the recommended curl version in your server. From what i can see, you are having an old CentOS version : CentOS release 5.11 (Final) and the latest available version of Curl is 7.15.5. # curl --version curl 7.15.5 Your server is already running latest version of the curl available for your Operating System and you will need to update to a newer OS and server for upgrading the curl version. It does appear several core functions may be tied into this curl version that can't be updated without a lot of headache in your current operating system. I do know that in order to obtain the latest openssl version that supports the newer TLS 1.1 and 1.2 versions you must upgrade to CentOS 6. Please confirm these, so we can disable SSLv3. ----- Thomas Joy Technical Support Specialist Total Server Solutions
__________________
Don McKenzie http://www.dontronics-shop.com/ X-Cart 4.0.17 [Unix] █ Hosting by www.totalserversolutions.com The very best home for your X-Cart. (was ewdhosting.com) |
|||||||
#70
|
|||||||
|
|||||||
Re: POODLE vulnerability in SSLv3
Quote:
X-Cart works properly with the last curl 7.38.0 libcurl/7.38.0 OpenSSL/1.0.1j libs So you have to upgrade to CentOS 6 as advised. Please take into account Intershipper issues for the last curl/OpenSSL libs http://us1.campaign-archive2.com/?u=8f406bcb33564cce3343fee6e&id=7b9a827fc0&e=[UNIQID]
__________________
Sincerely yours, Ildar Amankulov Head of Maintenance group |
|||||||
|
|||
X-Cart forums © 2001-2020
|