223429 CVE-2008-0891 2008-05-24 12:42 0000 dev-libs/openssl >=0.9.8f <0.9.8g-r2 Denial of Service vulnerabilities (CVE-2008-0891, CVE-2008-1672) 2008-06-23 22:51:47 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.openssl.org/news/secadv_20080528.txt A3 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org base-system@gentoo.org hanno@gentoo.org jer@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org rbu@gentoo.org 2008-05-24 12:42:25 0000 Mark J Cox gave us a heads-up on an OpenSSL flaw possibly resulting in a Denial of Service. Details will be disclosed to us on Monday, and are not to be publicised until Wednesday. rbu@gentoo.org 2008-05-26 11:09:31 0000 #1 OpenSSL Server Name extension crash Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause a crash. (CVE-2008-0891). Please note this issue does not affect any other released versions of OpenSSL, and does not affect versions compiled without TLS server name extensions. ... #2 OpenSSL Omit Server Key Exchange message crash Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672). rbu@gentoo.org 2008-05-26 11:11:17 0000 vapier, do we support these "non-default TLS server name extensions"? I'll attach upstream patches, please prepare ebuilds and we can do prestable testing on this bug. Do not commit anything to CVS yet. rbu@gentoo.org 2008-05-26 11:13:04 0000 Created an attachment (id=154341) openssl-0.9.8g-CVE-2008-0891.patch rbu@gentoo.org 2008-05-26 11:13:20 0000 Created an attachment (id=154343) openssl-0.9.8g-CVE-2008-1672.patch cardoe@gentoo.org 2008-05-26 14:42:16 0000 (In reply to comment #2) > vapier, do we support these "non-default TLS server name extensions"? > > I'll attach upstream patches, please prepare ebuilds and we can do prestable > testing on this bug. Do not commit anything to CVS yet. > Yes we do in 0.9.8g and 0.9.8g-r1 rbu@gentoo.org 2008-05-26 22:26:40 0000 (In reply to comment #5) > Yes we do in 0.9.8g and 0.9.8g-r1 Thanks for the info. Since the embargo is off in ~36 hours, let me know if you intend to do prestable testing (preferred by security), or want to bump to the release directly in the tree. In case of the former, attach ebuild incorporating the patches to this bug. vorlon@gentoo.org 2008-05-28 11:29:17 0000 This is now public via http://www.openssl.org/news/secadv_20080528.txt 0.9.8h has been released to adress the issue, please bump the ebuild. cardoe@gentoo.org 2008-05-29 15:15:14 0000 Well to further complicate this, I'm having several SSL services that are no longer accessible from a client using openssl 0.9.8h while they're accessible from all versions below 0.9.8h. I don't know if this relates to tlsext but infra will be interested since one of my affected services is LDAP. rbu@gentoo.org 2008-05-30 05:13:15 0000 Doug, do you experience the same issues using 0.9.8g + the patches on the bug? vapier@gentoo.org 2008-05-30 21:07:08 0000 even though we have 0.9.8h, it's way too new to consider for stable ... we should apply the patches to 0.9.8g if Doug could get back to us quickly, that'd be good ... cardoe@gentoo.org 2008-05-30 21:15:04 0000 yeah yeah. Gimme a minute. I had a busy day today. cardoe@gentoo.org 2008-05-30 21:28:34 0000 Alright. We look golden. My issue is obviously something in 0.9.8h not related to the security fixes. I'll just make a new bug on that to figure it out. Who knows, maybe upstream is already aware. Anyway, I had to strip out the diff for CHANGES to get the patches to apply. But I added them to openssl-0.9.8g-r2 to the tree. rbu@gentoo.org 2008-05-31 08:02:40 0000 Thanks for bumping! Arches, please test and mark stable: =dev-libs/openssl-0.9.8g-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" fauli@gentoo.org 2008-05-31 13:37:35 0000 x86 stable corsair@gentoo.org 2008-05-31 19:59:27 0000 ppc64 stable jonas@chown.dk 2008-05-31 21:27:31 0000 dev-libs/openssl-0.9.8g-r2 USE="kerberos (sse2) test zlib -bindist -gmp" 1. Emerges on AMD64. 2. No collisions and passes tests etc. 3. OpenSSH still works after upgrade and OpenSSH builds against the upgraded OpenSSL package. Portage 2.1.4.4 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r2 x86_64) ================================================================= System uname: 2.6.24-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Timestamp of tree: Sat, 31 May 2008 16:45:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd threads tiff truetype unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS jer@gentoo.org 2008-06-01 19:40:11 0000 I think bug #224407 needs a mention here. jer@gentoo.org 2008-06-02 02:15:16 0000 Stable for HPPA. armin76@gentoo.org 2008-06-02 10:01:24 0000 alpha/ia64/sparc stable beandog@gentoo.org 2008-06-03 14:21:54 0000 amd64 stable dertobi123@gentoo.org 2008-06-05 18:08:43 0000 ppc stable pva@gentoo.org 2008-06-06 07:49:33 0000 Fixed in release snapshot. rbu@gentoo.org 2008-06-23 22:51:47 0000 GLSA 200806-08. 154341 2008-05-26 11:13 0000 openssl-0.9.8g-CVE-2008-0891.patch openssl-0.9.8g-CVE-2008-0891.patch text/plain SW5kZXg6IENIQU5HRVMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2Uvb3BlbnNzbC9jdnMvb3BlbnNz bC9DSEFOR0VTLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjEyMzguMi44NgpkaWZmIC11IC1yMS4x MjM4LjIuODYgQ0hBTkdFUwotLS0gQ0hBTkdFUwkyOCBGZWIgMjAwOCAxMzozNTo1OCAtMDAwMAkx LjEyMzguMi44NgorKysgQ0hBTkdFUwkxOCBNYXIgMjAwOCAxMjowNjo1NyAtMDAwMApAQCAtNCw2 ICs0LDkgQEAKIAogIENoYW5nZXMgYmV0d2VlbiAwLjkuOGcgYW5kIDAuOS44aCAgW3h4IFhYWCB4 eHh4XQogCisgICopIEZpeCBkb3VibGUgZnJlZSBpbiBUTFMgc2VydmVyIG5hbWUgZXh0ZW5zaW9u cyB3aGljaCBjb3VsZCBsZWFkIHRvIGEgcmVtb3RlCisgICAgIGNyYXNoIGZvdW5kIGJ5IENvZGVu b21pY29uIFRMUyB0ZXN0IHN1aXRlIChDVkUtMjAwOC0wODkxKSBbSm9lIE9ydG9uXQorCiAgICop IEZpeCBCTiBmbGFnIGhhbmRsaW5nIGluIFJTQV9lYXlfbW9kX2V4cCgpIGFuZCBCTl9NT05UX0NU WF9zZXQoKQogICAgICB0byBnZXQgdGhlIGV4cGVjdGVkIEJOX0ZMR19DT05TVFRJTUUgYmVoYXZp b3IuCiAgICAgIFtCb2RvIE1vZWxsZXIgKEdvb2dsZSldCkluZGV4OiBzc2wvdDFfbGliLmMKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PQpSQ1MgZmlsZTogL2Uvb3BlbnNzbC9jdnMvb3BlbnNzbC9zc2wvdDFfbGliLmMsdgpy ZXRyaWV2aW5nIHJldmlzaW9uIDEuMTMuMi44CmRpZmYgLXUgLXIxLjEzLjIuOCB0MV9saWIuYwot LS0gc3NsL3QxX2xpYi5jCTE4IE9jdCAyMDA3IDExOjM5OjExIC0wMDAwCTEuMTMuMi44CisrKyBz c2wvdDFfbGliLmMJMTggTWFyIDIwMDggMTI6MDY6NTggLTAwMDAKQEAgLTM4MSw2ICszODEsNyBA QAogCQkJCQkJcy0+c2Vzc2lvbi0+dGxzZXh0X2hvc3RuYW1lW2xlbl09J1wwJzsKIAkJCQkJCWlm IChzdHJsZW4ocy0+c2Vzc2lvbi0+dGxzZXh0X2hvc3RuYW1lKSAhPSBsZW4pIHsKIAkJCQkJCQlP UEVOU1NMX2ZyZWUocy0+c2Vzc2lvbi0+dGxzZXh0X2hvc3RuYW1lKTsKKwkJCQkJCQlzLT5zZXNz aW9uLT50bHNleHRfaG9zdG5hbWUgPSBOVUxMOwogCQkJCQkJCSphbCA9IFRMUzFfQURfVU5SRUNP R05JWkVEX05BTUU7CiAJCQkJCQkJcmV0dXJuIDA7CiAJCQkJCQl9Cg== 154343 2008-05-26 11:13 0000 openssl-0.9.8g-CVE-2008-1672.patch openssl-0.9.8g-CVE-2008-1672.patch text/plain SW5kZXg6IENIQU5HRVMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2Uvb3BlbnNzbC9jdnMvb3BlbnNz bC9DSEFOR0VTLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjEyMzguMi44NgpkaWZmIC11IC1yMS4x MjM4LjIuODYgQ0hBTkdFUwotLS0gQ0hBTkdFUwkyOCBGZWIgMjAwOCAxMzozNTo1OCAtMDAwMAkx LjEyMzguMi44NgorKysgQ0hBTkdFUwkyMiBNYXkgMjAwOCAwOToxOTozMCAtMDAwMApAQCAtNCw2 ICs0LDEwIEBACiAKICBDaGFuZ2VzIGJldHdlZW4gMC45LjhnIGFuZCAwLjkuOGggIFt4eCBYWFgg eHh4eF0KIAorICAqKSBGaXggZmxhdyBpZiAnU2VydmVyIEtleSBleGNoYW5nZSBtZXNzYWdlJyBp cyBvbWl0dGVkIGZyb20gYSBUTFMKKyAgICAgaGFuZHNoYWtlIHdoaWNoIGNvdWxkIGxlYWQgdG8g YSBjaWxlbnQgY3Jhc2ggYXMgZm91bmQgdXNpbmcgdGhlCisgICAgIENvZGVub21pY29uIFRMUyB0 ZXN0IHN1aXRlIChDVkUtMjAwOC0xNjcyKSBbU3RldmUgSGVuc29uLCBNYXJrIENveF0KKwogICAq KSBGaXggQk4gZmxhZyBoYW5kbGluZyBpbiBSU0FfZWF5X21vZF9leHAoKSBhbmQgQk5fTU9OVF9D VFhfc2V0KCkKICAgICAgdG8gZ2V0IHRoZSBleHBlY3RlZCBCTl9GTEdfQ09OU1RUSU1FIGJlaGF2 aW9yLgogICAgICBbQm9kbyBNb2VsbGVyIChHb29nbGUpXQpJbmRleDogc3NsL3MzX2NsbnQuYwo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09ClJDUyBmaWxlOiAvZS9vcGVuc3NsL2N2cy9vcGVuc3NsL3NzbC9zM19jbG50LmMs dgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuODguMi4xMgpkaWZmIC11IC1yMS44OC4yLjEyIHMzX2Ns bnQuYwotLS0gc3NsL3MzX2NsbnQuYwkzIE5vdiAyMDA3IDEzOjA3OjM5IC0wMDAwCTEuODguMi4x MgorKysgc3NsL3MzX2NsbnQuYwkyMiBNYXkgMjAwOCAwOToxOTozMCAtMDAwMApAQCAtMjA2MSw2 ICsyMDYxLDEzIEBACiAJCQl7CiAJCQlESCAqZGhfc3J2ciwqZGhfY2xudDsKIAorICAgICAgICAg ICAgICAgICAgICAgICAgaWYgKHMtPnNlc3Npb24tPnNlc3NfY2VydCA9PSBOVUxMKSAKKyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgeworICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBzc2wzX3NlbmRfYWxlcnQocyxTU0wzX0FMX0ZBVEFMLFNTTF9BRF9VTkVYUEVDVEVEX01F U1NBR0UpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTU0xlcnIoU1NMX0ZfU1NM M19TRU5EX0NMSUVOVF9LRVlfRVhDSEFOR0UsU1NMX1JfVU5FWFBFQ1RFRF9NRVNTQUdFKTsKKyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ290byBlcnI7CisgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIH0KKwogCQkJaWYgKHMtPnNlc3Npb24tPnNlc3NfY2VydC0+cGVlcl9k aF90bXAgIT0gTlVMTCkKIAkJCQlkaF9zcnZyPXMtPnNlc3Npb24tPnNlc3NfY2VydC0+cGVlcl9k aF90bXA7CiAJCQllbHNlCg==