Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 292022 - <dev-libs/openssl-0.9.8l TLS renegotiation design flaw (CVE-2009-3555)
Summary: <dev-libs/openssl-0.9.8l TLS renegotiation design flaw (CVE-2009-3555)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on: 294297
Blocks: CVE-2009-1377 280591 CVE-2009-3555
  Show dependency tree
 
Reported: 2009-11-05 22:09 UTC by Hanno Böck
Modified: 2009-12-03 06:33 UTC (History)
12 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2009-11-05 22:09:36 UTC
A design flaw in tls has been found that makes it possible to inject content on session renegotiation. openssl has released 0.9.8l which disables renegotiation to work around this.

I don't know if this causes any breakage.

From Changelog:

  *) Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
     run-time. This is really not recommended unless you know what
     you're doing.
     [Ben Laurie]
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-05 22:27:59 UTC
(In reply to comment #0)
> I don't know if this causes any breakage.
> 

Yes, at least HTTP w/client certificates heavily depends on this.
More details at https://bugzilla.redhat.com/show_bug.cgi?id=533125#c4

Also, see the blocked bug for more details.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-05 22:29:57 UTC
Arches, please test and mark stable:
=dev-libs/openssl-0.9.8l
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Christophe Saout 2009-11-06 21:47:18 UTC
net-misc/tor also breaks because of this.  Took me a while to figure it out...
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 23:41:33 UTC
Christophe: how does it "break"?!
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-07 15:39:31 UTC
(In reply to comment #3)
> net-misc/tor also breaks because of this.  Took me a while to figure it out...

 In the unstable or stable version?  net-misc/tor is ready for stabilisation anyway.
Comment 6 Bernd Marienfeldt 2009-11-07 18:15:48 UTC
See also http://extendedsubset.com/?p=8
Comment 7 Tobias Klausmann gentoo-dev 2009-11-07 22:39:37 UTC
Stable on alpha.
Comment 8 Hanno Böck gentoo-dev 2009-11-07 22:42:12 UTC
From what I understood, this fully breaks client certificate usage. I'm not sure it's a good idea to stabilize this yet, I'd rather wait for a version implementing the new tls renegotiation draft.
Comment 9 Jeroen Roovers gentoo-dev 2009-11-08 15:57:42 UTC
Stable for HPPA.
Comment 10 nixnut (RETIRED) gentoo-dev 2009-11-08 20:38:21 UTC
ppc stable
Comment 11 Christophe Saout 2009-11-09 01:30:07 UTC
(In reply to comment #4)
> Christophe: how does it "break"?!

If you start it up it get stuck at "bootstraping 10%" and gives TLS rengotiation errors when trying to get the directory information.  I guess it's trying to use client certificates or something.  This is the unstable tor version.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-09 11:48:37 UTC
Please do not continue to stabilize! This will break other packages and functionalities, I fear even things like https/apache.

re-adding hppa & ppc: can you revert to the older openssl-version?

Further action needs to be discussed.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-09 11:51:17 UTC
...and re-adding alpha, of course!
Comment 14 SpanKY gentoo-dev 2009-11-09 12:55:02 UTC
those packages breaking are less important than the packages being vuln.  the change upstream added a flag so packages that do not like the new behavior can be restored.  patch the broken package in question to use that flag, and file a new bug to address the issue.

i'll have to put out a -r1 anyways to include other CVE changes that apparently werent included in this release
Comment 15 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-12 14:34:12 UTC
net-misc/tor-0.2.1.9-r2 is good to go with this OpenSSL version.  Please stabilise that, too, I am on limited connectivity.
Comment 16 Tomas Hoger 2009-11-12 15:03:09 UTC
(In reply to comment #15)
> net-misc/tor-0.2.1.9-r2 is good to go with this OpenSSL version.

Btw, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION seems to be a 0.9.8l-only feature and the patch may need further updates later:

  http://cvs.openssl.org/chngview?cn=18804

  Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns
  out to be a bad idea. It has been replaced by
  SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
  SSL_CTX_set_options().
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-19 09:54:13 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > net-misc/tor-0.2.1.9-r2 is good to go with this OpenSSL version.
> 
> Btw, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION seems to be a 0.9.8l-only
> feature and the patch may need further updates later:
> 
>   http://cvs.openssl.org/chngview?cn=18804
> 
>   Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns
>   out to be a bad idea. It has been replaced by
>   SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
>   SSL_CTX_set_options().

 We have to see then. At the moment we can fix this security issue.
Comment 18 SpanKY gentoo-dev 2009-11-21 03:11:16 UTC
0.9.8l-r1 added with the missing patches.  should be good to roll now.
Comment 19 Jeroen Roovers gentoo-dev 2009-11-21 17:04:58 UTC
Stable for HPPA.
Comment 20 nixnut (RETIRED) gentoo-dev 2009-11-21 19:57:06 UTC
ppc stable
Comment 21 Tobias Klausmann gentoo-dev 2009-11-22 11:36:03 UTC
-r1 stable on alpha.
Comment 22 Markus Meier gentoo-dev 2009-11-23 13:19:25 UTC
amd64/arm/x86 stable
Comment 23 Brent Baude (RETIRED) gentoo-dev 2009-11-23 17:13:06 UTC
ppc64 done
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2009-11-23 21:23:23 UTC
ia64/m68k/s390/sh/sparc stable, mips doesn't do stable keywords
Comment 25 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-23 21:30:04 UTC
GLSA request filed.
Comment 26 SpanKY gentoo-dev 2009-11-27 22:01:42 UTC
btw, you should do the request against 0.9.8l-r2 as 0.9.8l-r2 didnt have all the pieces for CVE-2009-2409 (Bug 280591)
Comment 27 Matthew Schultz 2009-12-01 20:21:48 UTC
I don't know if anyone has noticed this yet but openssl-0.9.8l breaks the use of local_cert option with the soap client in php.
Comment 28 SpanKY gentoo-dev 2009-12-01 20:28:06 UTC
this is not a bug report for people to dump random stuff into.  if you have a problem, file a *new* bug.  if it's related to other bugs, people can mark things as depending/blocking other bugs.
Comment 29 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-01 21:34:41 UTC
GLSA 200912-01

vapier: please clean out the old versions.
Comment 30 Matthew Schultz 2009-12-01 21:39:10 UTC
Please don't clean 0.9.8k.  Please see bug 295367.
Comment 31 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-01 21:41:50 UTC
(In reply to comment #30)
> Please don't clean 0.9.8k.  Please see bug 295367.
> 

Negative. If you need 0.9.8k create a local overlay with it. Removed ebuilds are archived at sources.gentoo.org.
Comment 32 Hanno Böck gentoo-dev 2009-12-02 17:11:00 UTC
Alex, I find this a stupid idea. The new openssl version breaks certain scenarios (and breaks means not something is wrongly configured or bad design but it's just that the new openssl version lacks features). I'm all for taking security seriously, but breaking setups and taking away the option of switching back is no good idea either.

We should at least provide that backup option as long as draft-ietf-tls-renegotiation, which is the only real fix, is implemented.

(btw, I don't understand the hurry as we still have NO fix for gnutls and nss and the issue is completely the same)
Comment 33 SpanKY gentoo-dev 2009-12-02 22:07:42 UTC
as said, security is more important than a handful of misbehaving apps (thus 0.9.8l-r2 gets stabilized even though some stable apps break).  i've always been conservative with openssh/openssl in terms of culling older versions because you never know when you need to quickly test an older versions.  i'll probably de-KEYWORD them to keep security peeps happy.
Comment 34 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-03 06:33:06 UTC
(In reply to comment #32)
> Alex, I find this a stupid idea.

Hanno, this is our standard procedure. Reason: Prevent $user from accidentally installing a vulnerable version. Keep in mind, there were more issues than this one here fixed.

> (btw, I don't understand the hurry as we still have NO fix for gnutls and nss
> and the issue is completely the same)

So? This is about OpenSSL, not gnutls, nss or whatever.


(In reply to comment #33)
> i'll probably de-KEYWORD them to keep security peeps happy.

ack. maybe you can find one or two versions that you really really want to keep, dekeyword or p.mask them, remove the rest, and we're okay with it.