Bug 40187 - openssl: multiple issues (4.1)
openssl: multiple issues (4.1)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Arvid Requate
Felix Botner
Depends on:
Blocks: 40188
  Show dependency treegraph
Reported: 2015-12-07 19:33 CET by Arvid Requate
Modified: 2016-10-05 12:46 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-12-07 19:33:45 CET
Upstream Debian package version 1.0.1e-2+deb7u18 fixes these issues:

* Denial of Service: Certificate verify crash with missing PSS parameter (CVE-2015-3194)

* PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195)

* Race condition handling PSK identify hint potentially leading to double free in multithreaded clients (CVE-2015-3196)
Comment 1 Arvid Requate univentionstaff 2016-01-11 12:20:03 CET
The issues above are fixed in upstream Debian package version 1.0.2e-1.

Additionally it fixes the following issue:

* The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite (CVE-2015-3193)
Comment 2 Arvid Requate univentionstaff 2016-01-11 12:22:19 CET
According to https://www.openssl.org/news/secadv/20151203.txt is also fixes

* The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message (CVE-2015-1794)
Comment 3 Arvid Requate univentionstaff 2016-01-28 19:07:02 CET
Two new issues:

* SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

* Key Recovery Attack on DH small subgroups (CVE-2016-0701)

  X9.42 style parameter files such as those required for RFC 5114 support
  may use "unsafe" primes. If an application is using DH ciphers configured
  with DH parameters based on those "unsafe" primes, and either
  Static DH ciphersuites are used or DHE ciphersuites with the default
  OpenSSL configuration (in particular SSL_OP_SINGLE_DH_USE is not set)
  then it is vulnerable.

  Affects DH parameters generated via either of these two methods:
  * genpkey with the dh_rfc5114 option
  * dhparam with the -dsaparam option

For details see http://intothesymmetry.blogspot.de/2016/01/openssl-key-recovery-attack-on-dh-small.html
Comment 4 Arvid Requate univentionstaff 2016-01-28 20:40:16 CET
 - Not affected by CVE-2015-3197 because SSLv2 is disabled (built with no-ssl2)

Upstream Debian package vesion 1.0.2f-2 fixes CVE-2016-0701.
Comment 5 Arvid Requate univentionstaff 2016-03-01 15:18:45 CET
The following new issues have been identified
(see https://www.openssl.org/news/secadv/20160301.txt):

* Double-free in DSA code (CVE-2016-0705)
* Memory leak in SRP database lookups (CVE-2016-0798)
* BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
* Memory issues in BIO_*printf functions (CVE-2016-0799)
* Side channel attack on modular exponentiation (CVE-2016-0702)

The OpenSSL version in UCS 4.x is not affected by CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800.
Comment 6 Arvid Requate univentionstaff 2016-03-04 09:12:57 CET
Upstream Debian sid version 1.0.2g-1 fixes these issues:

CVE-2015-7575 CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799 CVE-2016-0800
Comment 7 Arvid Requate univentionstaff 2016-03-04 12:47:24 CET
Ok, I've imported and built that version, we should test this extensively, closing to signal QA, let's see if this is a good idea..
Comment 8 Philipp Hahn univentionstaff 2016-03-16 08:49:20 CET
Jenkins-Regressions on all roles:


(2016-03-15 20:42:56.188472)W: The config registry variable 'apache2/ssl/v3' does not exist
(2016-03-15 20:42:56.188562)W: The config registry variable 'apache2/ssl/tlsv11' does not exist
(2016-03-15 20:42:56.188621)W: The config registry variable 'apache2/ssl/tlsv12' does not exist
(2016-03-15 20:42:56.255031)Syntax OK
(2016-03-15 20:42:56.368380)info 2016-03-15 20:42:56	 ssl3=0
(2016-03-15 20:42:56.381585)error 2016-03-15 20:42:56	 openssl s_client -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -connect localhost:443 -quiet -no_ign_eof -ssl3
(2016-03-15 20:42:56.382361)error 2016-03-15 20:42:56	 **************** Test failed above this line (1) ****************


(2016-03-15 20:43:00.938423)info 2016-03-15 20:43:00	 LOW
(2016-03-15 20:43:00.941315)Error in cipher list
(2016-03-15 20:43:00.941547)139996400010920:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1376:

Tests might need adaption if ciphers/protocols were disabled.
Comment 9 Arvid Requate univentionstaff 2016-03-16 17:19:19 CET
Tests adjusted, the new version doesn't support ssl3, LOW and EXPORT ciphers, the changelog sais:

  * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800)

The deactivation of ssl3 implies that the cli tool option -ssl3 is invalid now too.
Comment 10 Felix Botner univentionstaff 2016-03-18 14:00:47 CET
If i update, the new package libssl1.0.2 is installed in addition to the old libssl1.0.0, 
and now i have 


-> dpkg -l| grep libssl
ii  libssl1.0.0:amd64         1.0.2d-1.104.201510141521
ii  libssl1.0.2:amd64         1.0.2g-1.109.201603040915 

But all the tools are still linked to the old ssl lib

-> ldd /usr/lib/libpostfix-tls.so.1| grep libssl
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fc8c8312000)

-> ldd /usr/lib/apache2/modules/mod_ssl.so | grep libssl
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f2789217000)

-> ldd /usr/lib/dovecot/imap-login | grep ssl
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fedcc616000)
Comment 11 Arvid Requate univentionstaff 2016-03-21 20:39:52 CET
Ok, the experiment with 1.0.2g-1 failed, so I removed the package from the errata4.1-1 scope and cherry picked 1.0.2d-1 from ucs_4.1-0 instead. I identified all required commits from the upstream git repo and converted them into repo-ng patches that inject debian/patches suitable for the Debian quilt (3.0) source package format:


The last one is overkill, since Debian doesn't build with ssl2 support, but better safe than sorry.

Advisory updated and change to ucs-test reverted.
Comment 12 Felix Botner univentionstaff 2016-04-05 12:48:08 CEST

OK - built with patches

OK - Jenkins
OK - ucs-test-base
OK - ucs-test-apache

OK - openssl s_client -connect 443 636 993 
OK - ldapsearch -ZZZ
OK - certificate creation
OK - openssl cert verify (openssl verify -CAfile 
     /etc/univention/ssl/master/cert.pem )
OK - ssl3 disabled (openssl s_client -connect hostname:443 -ssl3)
OK - imap/smtp with tls (univention-mail-horde, horde login, horde mail)
OK - libssl-dev

Comment 13 Janek Walkenhorst univentionstaff 2016-04-06 13:15:04 CEST