Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 663654 (CVE-2018-0732)

Summary: <dev-libs/openssl-1.0.2o-r6: Client DoS due to large DH parameter
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2018-08-15 01:54:18 UTC

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). 
OpenSSL is prone to a local information-disclosure vulnerability.

Summary: Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. 

@maintainer(s): OpenSSL 1.0.2p is now available, including bug and security fixes.

Gentoo Security Padawan
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-15 15:39:25 UTC
We are carrying a patch for this since
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-31 20:47:30 UTC
@ Arches,

please test and mark stable: =dev-libs/openssl-1.0.2p
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-01 17:56:33 UTC
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-01 22:05:25 UTC
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:44:01 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:47:37 UTC
ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-02 11:18:49 UTC
hppa stable
Comment 8 Rolf Eike Beer archtester 2018-09-03 15:59:55 UTC
sparc done.
Comment 9 Laszlo Valko 2018-09-04 06:28:29 UTC
(In reply to Mikle Kolyada from comment #4)
> amd64 stable

Mikle, you missed to actually commit that change...
Comment 10 Mart Raudsepp gentoo-dev 2018-09-06 07:22:01 UTC
(In reply to Laszlo Valko from comment #9)
> (In reply to Mikle Kolyada from comment #4)
> > amd64 stable
> Mikle, you missed to actually commit that change...

He stabled revision noted in summary, instead of package list, apparently. Re-CCed amd64.
Comment 11 Agostino Sarubbo gentoo-dev 2018-09-06 15:27:06 UTC
amd64 stable
Comment 12 Mart Raudsepp gentoo-dev 2018-09-07 09:56:52 UTC
arm64 stable
Comment 13 Matt Turner gentoo-dev 2018-09-07 20:24:54 UTC
alpha stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-09 11:57:15 UTC
The rest was done and cleaned.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2018-11-08 02:55:54 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-11-09 00:36:21 UTC
This issue was resolved and addressed in
 GLSA 201811-03 at
by GLSA coordinator Thomas Deutschmann (whissi).