Bug 36170

Summary: openssl: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P5 CC: gohmann
Version: UCS 3.2   
Target Milestone: UCS 3.2-4-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2014-10-15 10:39:27 CEST 
CVE-2014-3566

This will requires fixes in openssl, gnutls and nss. Firefox also needs a fix since it uses a local nss copy. (There are additional Firefox issues, so I'll file a separate bug).

http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
Comment 1 Moritz Muehlenhoff univentionstaff 2014-10-15 18:41:28 CEST 
Additional issues have been reported/fixed:

Denial of service through memory leak in session ticket validation (CVE-2014-3567)
A a mechanism to counter downgrade attacks to SSL3 (TLS_FALLBACK_SCSV) (CVE-2014-3566)
The build option no-ssl3 didn't work as expected (CVE-2014-3568)
Comment 2 Janek Walkenhorst univentionstaff 2014-12-11 17:58:45 CET 
squeeze-lts imported.
Tests (amd64): OK
Advisory: 2014-12-01-openssl.yaml
Comment 3 Philipp Hahn univentionstaff 2014-12-17 14:30:14 CET 
OK: aptitude install '?source-package(openssl)?installed'
OK: amd64
OK: i386
OK: zless /usr/share/doc/openssl/changelog.Debian.gz
OK: univention-certificate new -name foo
OK: openssl verify  -CAfile ucsCA/CAcert.pem -purpose any  foo/cert.pem
OK: univention-ldapsearch -ZZ
OK: (printf 'GET / HTTP/1.1\r\nHost: www.univention.de\r\n\r\n';sleep 1)|openssl s_client -host www.univention.de -port 443
FIXED: 2014-12-01-openssl.yaml
 r56923 | Bug #36170 OpenSSL: YAML fixes
OK: errata-announce --validate-bugzilla -V 2014-12-01-openssl.yaml
Comment 4 Janek Walkenhorst univentionstaff 2014-12-17 15:38:57 CET 
http://errata.univention.de/ucs/3.2/257.html