From ${URL} : Bodo Möller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen. References: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html https://www.openssl.org/~bodo/ssl-poodle.pdf Upstream patch: master: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=cf6da05304d554aaa885151451aa4ecaa977e601 OpenSSL-1.0.1 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6bfe55380abbf7528e04e59f18921bd6c896af1c OpenSSL-0.9.8: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c6a876473cbff0fd323c8abcaace98ee2d21863d https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dc5dfe431cffbc1fa8eeead0853bd03395e52e71 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Also see #525484
*** Bug 525484 has been marked as a duplicate of this bug. ***
@base-system: go ahead :)
There are some more DOS issues fixed, so it's not just information leakage.
+*openssl-1.0.1j (15 Oct 2014) +*openssl-1.0.0o (15 Oct 2014) +*openssl-0.9.8z_p3 (15 Oct 2014) + + 15 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> + +openssl-0.9.8z_p3.ebuild, -openssl-1.0.0m.ebuild, -openssl-1.0.0n.ebuild, + +openssl-1.0.0o.ebuild, +openssl-1.0.1j.ebuild, -openssl-1.0.2_beta2.ebuild, + -files/openssl-1.0.2_beta2-revert-alpha-perl-generation.patch: + Security bump (bug #525468). Fixes CVE-2014-{3513,3515,3566,3567,3568}. + Arches please test and mark stable the following list of ebuilds: =dev-libs/openssl-0.9.8z_p3 (=openssl-0.9.8zc) =dev-libs/openssl-1.0.1j Target KEYWORDS are: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux
amd64 stable
x86 stable
Both stable on alpha.
It should be noted that this does not really fix CVE-2014-3566 aka POODLE. SCSV is merely a workaround for the "protocol dance" "feature" of browsers. The real fix is to disable SSLv3. I would propose the following: The openssl ebuild should be compiled with disable-ssl3 by default and for backwards compatibility a useflag could be added ("insecure-ssl3" maybe, it should be made clear to users that SSLv3 is always risky and should be avoided). I'm currently testing openssl with ssl3 disabled on some servers, so far it seems tow
Hanno, thanks for your input! I just wanted to push this issue because of the DOS vulnerabilites.
Stable for HPPA.
@craig fast update is fine, but I think we should consider doing more. I also just found out that OpenSSL by default not only enables SSLv3 but also the (even more broken) SSLv2. I propose the same thing: Provide a use-flag (maybe some people need it for some testing), but disable it by default.
(In reply to Hanno Boeck from comment #12) > @craig fast update is fine, but I think we should consider doing more. > > I also just found out that OpenSSL by default not only enables SSLv3 but > also the (even more broken) SSLv2. I propose the same thing: Provide a > use-flag (maybe some people need it for some testing), but disable it by > default. Hanno, what you're asking for is handled in bug #510798. Please move the conversation over to that bug and maybe provide ebuild patches.
stable on ppc and ppc64
*** Bug 525686 has been marked as a duplicate of this bug. ***
ia64 stable
sparc stable
arm stable, all arches done.
Maintainers, please clean up vulnerable versions for this bug and bug 519264: =dev-libs/openssl-0.9.8z_p1-r2 =dev-libs/openssl-1.0.1i
This issue was resolved and addressed in GLSA 201412-39 at http://security.gentoo.org/glsa/glsa-201412-39.xml by GLSA coordinator Sean Amoss (ackle).
Re-opening until vulnerable versions are dropped.
CVE-2014-3513 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3513): Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.
CVE-2014-3568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3568): OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. CVE-2014-3567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3567): Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
Cleanup superseded by bug 543552.