Upcoming OpenSSL issue public on October 11th 1200UTC. NISCC should be contacting you with details today (prod vulteam@niscc.gov.uk if you don't hear from them). Affects all OS and architectures, all OpenSSL versions. Has a simple patch easy to backport to any old OpenSSL version. However I'd rate this as a low or moderate severity issue, so no need to overly panic. Thanks, Mark -- Mark J Cox / Red Hat Security Response Team
### DRAFT ### STRICT EMBARGO UNTIL 11 OCTOBER 2005 1200UTC OpenSSL Security Advisory [11 October 2005] CAN-2005-2969: Potential SSL 2.0 Rollback ========================================= CONTENTS - Vulnerability - Recommendations - Acknowledgement - References Vulnerability ------------- A vulnerability has been found in all previously released versions of OpenSSL (all versions up to 0.9.7g, and version 0.9.8). Versions 0.9.7h and 0.9.8a are being released to address the issue. The vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third-party software that might prevent interoperability. The SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only. Applications using neither SSL_OP_MSIE_SSLV2_RSA_PADDING nor SSL_OP_ALL are not affected. Also, applications that disable use of SSL 2.0 are not affected. Recommendations -------------- There are multiple ways to avoid this vulnerability. Any one of the following measures is sufficient. 1. Disable SSL 2.0 in the OpenSSL-based application. The vulnerability occurs only if the old protocol version SSL 2.0 is enabled both in an OpenSSL server and in any of the clients (OpenSSL-based or not) connecting to it. Thus, if you have disabled SSL 2.0, the vulnerability does not apply to you. Generally, it is strongly recommended to disable the SSL 2.0 protocol because of its known problems. 2. Upgrade the OpenSSL server software. The vulnerability is resolved in the following versions of OpenSSL: - in the 0.9.7 branch, version 0.9.7h (or later); - in the 0.9.8 branch, version 0.9.8a (or later). [note we resolved this by simply by removing the functionality of this deprecated flag] Acknowledgement --------------- We thank Yutaka Oiwa of the Research Center for Information Security, National Institute of Advanced Industrial Science and Technology (AIST), Japan, for alerting us about this problem. References ---------- The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2969 for this issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969 URL for this Security Advisory: http://www.openssl.org/news/secadv_20051011.txt
Created attachment 69860 [details, diff] patch-0.9.7
Created attachment 69861 [details, diff] patch-0.9.8
Martin please advise and attach an updated ebuild for arch testing if necessary. Do NOT commit anything to Portage.
Hmm, may only be done after a certain date or what ?
You can attach an updated ebuild to this bug, but do not commit anything to Portage before we say go.
Created attachment 70011 [details, diff] openssl-0.9.8-CAN-2005-2969.patch Patch needs to be slightly adjusted.
Created attachment 70012 [details] openssl-0.9.8-r1.ebuild Ebuild for 0.9.8.
Thx Martin. Arch security liaisons please test and report back on this bug. alpha kloeri amd64 blubb hppa hansmi ppc hansmi ppc64 corsair sparc gustavoz x86 tester
We probably want the 0.9.7 one to go stable .. ill look into it if Mike have not .. heading to bed now though.
Back to preebuild unccing arch security liaisons.
And now witn unccing:-) Sorry for the spam.
we'll actually need to fix both 0.9.7e and 0.9.7g
Created attachment 70297 [details] openssl-0.9.7-CAN.tar.bz2 updated 0.9.7 ebuilds
Ccing arch sec liaisons, please test and tell us which can be committed as stable on your arch. alpha kloeri amd64 blubb MetalGOD hppa hansmi ppc hansmi ppc64 corsair rangerpb sparc gustavoz x86 tester
0.9.7g-r1 looks good for sparc.
hppa and ppc is fine
0.9.7g-r1 looks good for ppc64
Alpha is happy with 0.9.7g-r1.
0.9.7g-r1 is fine for amd64
looks fine on x86
OK ready for commit later that day...
Now public @ bug 108852 *** This bug has been marked as a duplicate of 108852 ***