Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Mark J Cox gave us a heads-up on an OpenSSL flaw possibly resulting in a Denial of Service. Details will be disclosed to us on Monday, and are not to be publicised until Wednesday.
#1 OpenSSL Server Name extension crash Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause a crash. (CVE-2008-0891). Please note this issue does not affect any other released versions of OpenSSL, and does not affect versions compiled without TLS server name extensions. ... #2 OpenSSL Omit Server Key Exchange message crash Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672).
vapier, do we support these "non-default TLS server name extensions"? I'll attach upstream patches, please prepare ebuilds and we can do prestable testing on this bug. Do not commit anything to CVS yet.
Created an attachment (id=154341) [details] openssl-0.9.8g-CVE-2008-0891.patch
Created an attachment (id=154343) [details] openssl-0.9.8g-CVE-2008-1672.patch
(In reply to comment #2) > vapier, do we support these "non-default TLS server name extensions"? > > I'll attach upstream patches, please prepare ebuilds and we can do prestable > testing on this bug. Do not commit anything to CVS yet. > Yes we do in 0.9.8g and 0.9.8g-r1
(In reply to comment #5) > Yes we do in 0.9.8g and 0.9.8g-r1 Thanks for the info. Since the embargo is off in ~36 hours, let me know if you intend to do prestable testing (preferred by security), or want to bump to the release directly in the tree. In case of the former, attach ebuild incorporating the patches to this bug.
This is now public via http://www.openssl.org/news/secadv_20080528.txt 0.9.8h has been released to adress the issue, please bump the ebuild.
Well to further complicate this, I'm having several SSL services that are no longer accessible from a client using openssl 0.9.8h while they're accessible from all versions below 0.9.8h. I don't know if this relates to tlsext but infra will be interested since one of my affected services is LDAP.
Doug, do you experience the same issues using 0.9.8g + the patches on the bug?
even though we have 0.9.8h, it's way too new to consider for stable ... we should apply the patches to 0.9.8g if Doug could get back to us quickly, that'd be good ...
yeah yeah. Gimme a minute. I had a busy day today.
Alright. We look golden. My issue is obviously something in 0.9.8h not related to the security fixes. I'll just make a new bug on that to figure it out. Who knows, maybe upstream is already aware. Anyway, I had to strip out the diff for CHANGES to get the patches to apply. But I added them to openssl-0.9.8g-r2 to the tree.
Thanks for bumping! Arches, please test and mark stable: =dev-libs/openssl-0.9.8g-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
x86 stable
ppc64 stable
dev-libs/openssl-0.9.8g-r2 USE="kerberos (sse2) test zlib -bindist -gmp" 1. Emerges on AMD64. 2. No collisions and passes tests etc. 3. OpenSSH still works after upgrade and OpenSSH builds against the upgraded OpenSSL package. Portage 2.1.4.4 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r2 x86_64) ================================================================= System uname: 2.6.24-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Timestamp of tree: Sat, 31 May 2008 16:45:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd threads tiff truetype unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I think bug #224407 needs a mention here.
Stable for HPPA.
alpha/ia64/sparc stable
amd64 stable
ppc stable
Fixed in release snapshot.
GLSA 200806-08.
