Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 663654 (CVE-2018-0732) - <dev-libs/openssl-1.0.2o-r6: Client DoS due to large DH parameter
Summary: <dev-libs/openssl-1.0.2o-r6: Client DoS due to large DH parameter
Status: RESOLVED FIXED
Alias: CVE-2018-0732
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openssl.org/news/vulnerab...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-15 01:54 UTC by D'juan McDonald (domhnall)
Modified: 2018-11-09 00:36 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/openssl-1.0.2p
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-08-15 01:54:18 UTC
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732):

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). 
OpenSSL is prone to a local information-disclosure vulnerability.

Summary: Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. 

@maintainer(s): OpenSSL 1.0.2p is now available, including bug and security fixes.

Gentoo Security Padawan
(domhnall)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-15 15:39:25 UTC
We are carrying a patch for this since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18f23bb2a2da949d03482b4a5f3a77c37d97c09
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-31 20:47:30 UTC
@ Arches,

please test and mark stable: =dev-libs/openssl-1.0.2p
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-01 17:56:33 UTC
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-01 22:05:25 UTC
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:44:01 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:47:37 UTC
ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-02 11:18:49 UTC
hppa stable
Comment 8 Rolf Eike Beer archtester 2018-09-03 15:59:55 UTC
sparc done.
Comment 9 Laszlo Valko 2018-09-04 06:28:29 UTC
(In reply to Mikle Kolyada from comment #4)
> amd64 stable

Mikle, you missed to actually commit that change...
Comment 10 Mart Raudsepp gentoo-dev 2018-09-06 07:22:01 UTC
(In reply to Laszlo Valko from comment #9)
> (In reply to Mikle Kolyada from comment #4)
> > amd64 stable
> 
> Mikle, you missed to actually commit that change...

He stabled revision noted in summary, instead of package list, apparently. Re-CCed amd64.
Comment 11 Agostino Sarubbo gentoo-dev 2018-09-06 15:27:06 UTC
amd64 stable
Comment 12 Mart Raudsepp gentoo-dev 2018-09-07 09:56:52 UTC
arm64 stable
Comment 13 Matt Turner gentoo-dev 2018-09-07 20:24:54 UTC
alpha stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-09 11:57:15 UTC
The rest was done and cleaned.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2018-11-08 02:55:54 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-11-09 00:36:21 UTC
This issue was resolved and addressed in
 GLSA 201811-03 at https://security.gentoo.org/glsa/201811-03
by GLSA coordinator Thomas Deutschmann (whissi).