Bug 36170 - openssl: Multiple issues (3.2)
openssl: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-4-errata
Assigned To: Janek Walkenhorst
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-15 10:39 CEST by Moritz Muehlenhoff
Modified: 2014-12-17 15:38 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-10-15 10:39:27 CEST
CVE-2014-3566

This will requires fixes in openssl, gnutls and nss. Firefox also needs a fix since it uses a local nss copy. (There are additional Firefox issues, so I'll file a separate bug).

http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
Comment 1 Moritz Muehlenhoff univentionstaff 2014-10-15 18:41:28 CEST
Additional issues have been reported/fixed:

Denial of service through memory leak in session ticket validation (CVE-2014-3567)
A a mechanism to counter downgrade attacks to SSL3 (TLS_FALLBACK_SCSV) (CVE-2014-3566)
The build option no-ssl3 didn't work as expected (CVE-2014-3568)
Comment 2 Janek Walkenhorst univentionstaff 2014-12-11 17:58:45 CET
squeeze-lts imported.
Tests (amd64): OK
Advisory: 2014-12-01-openssl.yaml
Comment 3 Philipp Hahn univentionstaff 2014-12-17 14:30:14 CET
OK: aptitude install '?source-package(openssl)?installed'
OK: amd64
OK: i386
OK: zless /usr/share/doc/openssl/changelog.Debian.gz
OK: univention-certificate new -name foo
OK: openssl verify  -CAfile ucsCA/CAcert.pem -purpose any  foo/cert.pem
OK: univention-ldapsearch -ZZ
OK: (printf 'GET / HTTP/1.1\r\nHost: www.univention.de\r\n\r\n';sleep 1)|openssl s_client -host www.univention.de -port 443
FIXED: 2014-12-01-openssl.yaml
 r56923 | Bug #36170 OpenSSL: YAML fixes
OK: errata-announce --validate-bugzilla -V 2014-12-01-openssl.yaml
Comment 4 Janek Walkenhorst univentionstaff 2014-12-17 15:38:57 CET
http://errata.univention.de/ucs/3.2/257.html