Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 382069 (CVE-2011-3207) - <dev-libs/openssl-1.0.0e ECDH Ciphersuites DoS (CVE-2011-{3207,3210})
Summary: <dev-libs/openssl-1.0.0e ECDH Ciphersuites DoS (CVE-2011-{3207,3210})
Status: RESOLVED FIXED
Alias: CVE-2011-3207
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/45781/
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-06 18:41 UTC by Agostino Sarubbo
Modified: 2011-10-09 15:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-09-06 18:41:11 UTC
From  secunia security advisor at $URL.

Description:
1) An error within OpenSSL's internal certificate verification can lead to OpenSSL accepting CRL (Certificate Revocation Lists) with a "nextUpdate" field set to a date in the past.

2) An error within the implementation of ephemeral ECDH ciphersuites can be exploited to crash a vulnerable server by sending handshake messages within an invalid order.

Successful exploitation of this vulnerability requires that the server enabled and supports the ECDH ciphersuites.
The vulnerabilities are reported in versions 1.0.0 through 1.0.0d.

Solution
Update to version 1.0.0e.
Comment 1 SpanKY gentoo-dev 2011-09-07 03:59:11 UTC
1.0.0e now in the tree
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-09-07 07:44:22 UTC
Arch teams, please, stabilize openssl-1.0.0e. TIA.
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-07 08:44:28 UTC
tested many rdeps

amd64 ok
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2011-09-07 08:46:37 UTC
+  07 Sep 2011; Tony Vroon <chainsaw@gentoo.org> openssl-1.0.0e.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+  security bug #382069.
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-07 22:48:28 UTC
Archtested on x86: Everything fine
Comment 6 Agostino Sarubbo gentoo-dev 2011-09-08 00:00:14 UTC
(In reply to comment #5)
> Archtested on x86: Everything fine

Looks ok also for me on x86

+1
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-09 14:20:57 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2011-09-11 09:27:50 UTC
arm/x86 stable, thnks JD and Agostino
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-12 15:31:50 UTC
ppc/ppc64 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-09-17 10:52:07 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:46:44 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:54:00 UTC
CVE-2011-3210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210):
  The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8s
  and 1.0.x before 1.0.0e does not ensure thread safety during processing of
  handshake messages, which allows remote attackers to cause a denial of
  service (application crash) via out-of-order messages that violate the TLS
  protocol.

CVE-2011-3207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207):
  crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize
  certain structure members, which makes it easier for remote attackers to
  bypass CRL validation by using a nextUpdate value corresponding to a time in
  the past.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:38:02 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:38:02 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).