| Summary: | <dev-libs/openssl-0.9.8l TLS renegotiation design flaw (CVE-2009-3555) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | axiator, base-system, bernd, christophe, facorread, fauli, josh, kjackie, mattsch, steffen.weber, tb, thoger |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 294297 | ||
| Bug Blocks: | 270305, 280591, 292023 | ||
(In reply to comment #0) > I don't know if this causes any breakage. > Yes, at least HTTP w/client certificates heavily depends on this. More details at https://bugzilla.redhat.com/show_bug.cgi?id=533125#c4 Also, see the blocked bug for more details. Arches, please test and mark stable: =dev-libs/openssl-0.9.8l Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" net-misc/tor also breaks because of this. Took me a while to figure it out... Christophe: how does it "break"?! (In reply to comment #3) > net-misc/tor also breaks because of this. Took me a while to figure it out... In the unstable or stable version? net-misc/tor is ready for stabilisation anyway. See also http://extendedsubset.com/?p=8 Stable on alpha. From what I understood, this fully breaks client certificate usage. I'm not sure it's a good idea to stabilize this yet, I'd rather wait for a version implementing the new tls renegotiation draft. Stable for HPPA. ppc stable (In reply to comment #4) > Christophe: how does it "break"?! If you start it up it get stuck at "bootstraping 10%" and gives TLS rengotiation errors when trying to get the directory information. I guess it's trying to use client certificates or something. This is the unstable tor version. Please do not continue to stabilize! This will break other packages and functionalities, I fear even things like https/apache. re-adding hppa & ppc: can you revert to the older openssl-version? Further action needs to be discussed. ...and re-adding alpha, of course! those packages breaking are less important than the packages being vuln. the change upstream added a flag so packages that do not like the new behavior can be restored. patch the broken package in question to use that flag, and file a new bug to address the issue. i'll have to put out a -r1 anyways to include other CVE changes that apparently werent included in this release net-misc/tor-0.2.1.9-r2 is good to go with this OpenSSL version. Please stabilise that, too, I am on limited connectivity. (In reply to comment #15) > net-misc/tor-0.2.1.9-r2 is good to go with this OpenSSL version. Btw, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION seems to be a 0.9.8l-only feature and the patch may need further updates later: http://cvs.openssl.org/chngview?cn=18804 Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). (In reply to comment #16) > (In reply to comment #15) > > net-misc/tor-0.2.1.9-r2 is good to go with this OpenSSL version. > > Btw, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION seems to be a 0.9.8l-only > feature and the patch may need further updates later: > > http://cvs.openssl.org/chngview?cn=18804 > > Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns > out to be a bad idea. It has been replaced by > SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with > SSL_CTX_set_options(). We have to see then. At the moment we can fix this security issue. 0.9.8l-r1 added with the missing patches. should be good to roll now. Stable for HPPA. ppc stable -r1 stable on alpha. amd64/arm/x86 stable ppc64 done ia64/m68k/s390/sh/sparc stable, mips doesn't do stable keywords GLSA request filed. btw, you should do the request against 0.9.8l-r2 as 0.9.8l-r2 didnt have all the pieces for CVE-2009-2409 (Bug 280591) I don't know if anyone has noticed this yet but openssl-0.9.8l breaks the use of local_cert option with the soap client in php. this is not a bug report for people to dump random stuff into. if you have a problem, file a *new* bug. if it's related to other bugs, people can mark things as depending/blocking other bugs. GLSA 200912-01 vapier: please clean out the old versions. Please don't clean 0.9.8k. Please see bug 295367. (In reply to comment #30) > Please don't clean 0.9.8k. Please see bug 295367. > Negative. If you need 0.9.8k create a local overlay with it. Removed ebuilds are archived at sources.gentoo.org. Alex, I find this a stupid idea. The new openssl version breaks certain scenarios (and breaks means not something is wrongly configured or bad design but it's just that the new openssl version lacks features). I'm all for taking security seriously, but breaking setups and taking away the option of switching back is no good idea either. We should at least provide that backup option as long as draft-ietf-tls-renegotiation, which is the only real fix, is implemented. (btw, I don't understand the hurry as we still have NO fix for gnutls and nss and the issue is completely the same) as said, security is more important than a handful of misbehaving apps (thus 0.9.8l-r2 gets stabilized even though some stable apps break). i've always been conservative with openssh/openssl in terms of culling older versions because you never know when you need to quickly test an older versions. i'll probably de-KEYWORD them to keep security peeps happy. (In reply to comment #32) > Alex, I find this a stupid idea. Hanno, this is our standard procedure. Reason: Prevent $user from accidentally installing a vulnerable version. Keep in mind, there were more issues than this one here fixed. > (btw, I don't understand the hurry as we still have NO fix for gnutls and nss > and the issue is completely the same) So? This is about OpenSSL, not gnutls, nss or whatever. (In reply to comment #33) > i'll probably de-KEYWORD them to keep security peeps happy. ack. maybe you can find one or two versions that you really really want to keep, dekeyword or p.mask them, remove the rest, and we're okay with it. |
A design flaw in tls has been found that makes it possible to inject content on session renegotiation. openssl has released 0.9.8l which disables renegotiation to work around this. I don't know if this causes any breakage. From Changelog: *) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie]