Bug 42487 - openssl: multiple issues (3.3)
openssl: multiple issues (3.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P5 normal (vote)
: UCS 3.3-0-errata
Assigned To: Arvid Requate
Philipp Hahn
:
Depends on: 42486
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-23 13:50 CEST by Felix Botner
Modified: 2016-12-14 12:58 CET (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2016-09-23 13:50:44 CEST
Not yet fixed in debian, but maybe not as important, see https://www.openssl.org/news/secadv/20160922.txt:

Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.

We have version 1.0.1e-2+deb7u20 in 3.3-0-0.
Comment 1 Arvid Requate univentionstaff 2016-09-29 21:59:18 CEST
Upstream Debian package version 1.0.1t-1+deb7u1 fixes these issues:

 * Remote denial of service (integer overflow and application crash)
   or unspecified other impact (CVE-2016-2177)
 * Potential timing side-channel attack by local users on DSA private key
   via dsa_sign_setup function in crypto/dsa/dsa_ossl.c (CVE-2016-2178)
 * Remote denial of service (memory consumption) by maintaining
   many crafted DTLS sessions simultaneously (CVE-2016-2179)
 * Remote denial of service (out-of-bounds read and application crash)
   via a crafted timestamp file that is mishandled by the "openssl ts"
   command (CVE-2016-2180)
 * Remote denial of service (false-positive packet drops)
   via spoofed DTLS records (CVE-2016-2181)
 * Remote denial of service (out-of-bounds write and application crash)
   or unspecified other impact via BN_bn2dec function (CVE-2016-2182)
 * Remote denial of service via a ticket that is too short (CVE-2016-6302)
 * Remote denial of service (out-of-bounds write and application crash)
   or unspecified other impact via MDC2_Update function (CVE-2016-6303)
 * Remote denial of service (memory consumption)
   via large OCSP Status Request extensions (CVE-2016-6304)
 * Remote denial of service (out-of-bounds read) via crafted certificate
   operations (CVE-2016-6306)
Comment 2 Arvid Requate univentionstaff 2016-09-29 22:03:01 CEST
I.e. Debian wheezy-lts updated to the package version from Debian Jessie.
Comment 3 Arvid Requate univentionstaff 2016-11-17 18:23:49 CET
I've downloaded the 1.0.1t-1+deb7u1 source package and have repackaged it to 1.0.1e-2+deb7u20really1.0.1tdeb7u1. Additionally I had to apply a patch at build time to keep the version number below the one shipped in UCS 4.0.

The patch for CVE-2016-2182 included in that package is identical to the regression-fixed version included in the 1.0.1t-1+deb8u5 package (Bug #42961).

Advisory: openssl.yaml
Comment 4 Philipp Hahn univentionstaff 2016-12-13 10:40:33 CET
FIXED: errata-announce -V --only openssl.yaml  # r75233
 [FAIL] cve.CVE-2014-3571: Not in description: CVE-2014-3571
OK: 01_ucs3.3_dependency.patch
OK: 02_fix_version_below_ucs400.patch

OK: Bug #42961
OK: <https://www.openssl.org/news/secadv/20160922.txt>

OK: aptitude install '?source-package(openssl)~i'
OK: aptitude install '?source-package(openssl)?not(?name(udeb))'
OK: zless /usr/share/doc/libssl1.0.0/changelog.Debian.gz # 1.0.1e-2~ucs3.3.132.201611171655
FYI: Also fixed by 1.0.1t-1+deb7u1 but not mentioned here yet:
 CVE-2014-3570
 CVE-2014-3571
 CVE-2014-3572
 CVE-2014-8275
 CVE-2015-0204
 CVE-2015-0205
 CVE-2015-0206
OK: openssl s_client -connect localhost:636 # 443
OK: openssl s_client -connect localhost:443 -ssl3
OK: ldapsearch -ZZZ -x -D `ucr get ldap/hostdn` -y /etc/machine.secret dn
OK: univention-certificate new -name test -days 1
OK: univention-certificate check -name test
OK: univention-certificate dump -name test
OK: univention-certificate list
OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem
OK: mutt -f imaps://Administrator@$(dnsdomainname)@$(hostname -f)/
OK: w3m https://$(hostname -f)/ucs-overview/
OK: lynx https://$(hostname -f)/ucs-overview/
OK: curl --cacert /etc/univention/ssl/ucsCA/CAcert.pem https://$(hostname -f)/ucs-overview/
Comment 5 Janek Walkenhorst univentionstaff 2016-12-14 12:58:49 CET
<http://errata.software-univention.de/ucs/3.3/26.html>