Univention Bugzilla – Bug 40187
openssl: multiple issues (4.1)
Last modified: 2016-10-05 12:46:47 CEST
Upstream Debian package version 1.0.1e-2+deb7u18 fixes these issues: * Denial of Service: Certificate verify crash with missing PSS parameter (CVE-2015-3194) * PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195) * Race condition handling PSK identify hint potentially leading to double free in multithreaded clients (CVE-2015-3196)
The issues above are fixed in upstream Debian package version 1.0.2e-1. Additionally it fixes the following issue: * The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite (CVE-2015-3193)
According to https://www.openssl.org/news/secadv/20151203.txt is also fixes * The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message (CVE-2015-1794)
Two new issues: * SSLv2 doesn't block disabled ciphers (CVE-2015-3197) * Key Recovery Attack on DH small subgroups (CVE-2016-0701) Description: X9.42 style parameter files such as those required for RFC 5114 support may use "unsafe" primes. If an application is using DH ciphers configured with DH parameters based on those "unsafe" primes, and either Static DH ciphersuites are used or DHE ciphersuites with the default OpenSSL configuration (in particular SSL_OP_SINGLE_DH_USE is not set) then it is vulnerable. Affects DH parameters generated via either of these two methods: * genpkey with the dh_rfc5114 option * dhparam with the -dsaparam option For details see http://intothesymmetry.blogspot.de/2016/01/openssl-key-recovery-attack-on-dh-small.html
Update: - Not affected by CVE-2015-3197 because SSLv2 is disabled (built with no-ssl2) Upstream Debian package vesion 1.0.2f-2 fixes CVE-2016-0701.
The following new issues have been identified (see https://www.openssl.org/news/secadv/20160301.txt): * Double-free in DSA code (CVE-2016-0705) * Memory leak in SRP database lookups (CVE-2016-0798) * BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) * Memory issues in BIO_*printf functions (CVE-2016-0799) * Side channel attack on modular exponentiation (CVE-2016-0702) The OpenSSL version in UCS 4.x is not affected by CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800.
Upstream Debian sid version 1.0.2g-1 fixes these issues: CVE-2015-7575 CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799 CVE-2016-0800
Ok, I've imported and built that version, we should test this extensively, closing to signal QA, let's see if this is a good idea..
Jenkins-Regressions on all roles: <http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-1/job/Autotest%20MultiEnv/lastCompletedBuild/SambaVersion=s3,Systemrolle=member/testReport/23_apache/20_ssl-protocols/test/> (2016-03-15 20:42:56.188472)W: The config registry variable 'apache2/ssl/v3' does not exist (2016-03-15 20:42:56.188562)W: The config registry variable 'apache2/ssl/tlsv11' does not exist (2016-03-15 20:42:56.188621)W: The config registry variable 'apache2/ssl/tlsv12' does not exist (2016-03-15 20:42:56.255031)Syntax OK (2016-03-15 20:42:56.368380)info 2016-03-15 20:42:56 ssl3=0 (2016-03-15 20:42:56.381585)error 2016-03-15 20:42:56 openssl s_client -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -connect localhost:443 -quiet -no_ign_eof -ssl3 (2016-03-15 20:42:56.382361)error 2016-03-15 20:42:56 **************** Test failed above this line (1) **************** <http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-1/job/Autotest%20MultiEnv/lastCompletedBuild/SambaVersion=s3,Systemrolle=member/testReport/23_apache/21_ssl-ciphers/test/> (2016-03-15 20:43:00.938423)info 2016-03-15 20:43:00 LOW (2016-03-15 20:43:00.941315)Error in cipher list (2016-03-15 20:43:00.941547)139996400010920:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1376: Tests might need adaption if ciphers/protocols were disabled.
Tests adjusted, the new version doesn't support ssl3, LOW and EXPORT ciphers, the changelog sais: * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800) The deactivation of ssl3 implies that the cli tool option -ssl3 is invalid now too.
If i update, the new package libssl1.0.2 is installed in addition to the old libssl1.0.0, and now i have /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 -> dpkg -l| grep libssl ii libssl1.0.0:amd64 1.0.2d-1.104.201510141521 ii libssl1.0.2:amd64 1.0.2g-1.109.201603040915 But all the tools are still linked to the old ssl lib -> ldd /usr/lib/libpostfix-tls.so.1| grep libssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fc8c8312000) -> ldd /usr/lib/apache2/modules/mod_ssl.so | grep libssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f2789217000) -> ldd /usr/lib/dovecot/imap-login | grep ssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fedcc616000)
Ok, the experiment with 1.0.2g-1 failed, so I removed the package from the errata4.1-1 scope and cherry picked 1.0.2d-1 from ucs_4.1-0 instead. I identified all required commits from the upstream git repo and converted them into repo-ng patches that inject debian/patches suitable for the Debian quilt (3.0) source package format: 01_CVE-2015-1794.patch 02_CVE-2015-3193.patch 03_CVE-2015-3194.patch 04_CVE-2015-3195.patch 05_CVE-2016-0701.patch 06_CVE-2016-0702.patch 07_CVE-2016-0705.patch 08_CVE-2016-0797.patch 09_CVE-2016-0798.patch 10_CVE-2016-0799.patch 11_CVE-2016-0800.patch The last one is overkill, since Debian doesn't build with ssl2 support, but better safe than sorry. Advisory updated and change to ucs-test reverted.
amd64/i386 OK - built with patches 01_CVE-2015-1794 02_CVE-2015-3193 03_CVE-2015-3194 04_CVE-2015-3195 05_CVE-2016-0701 06_CVE-2016-0702 07_CVE-2016-0705 08_CVE-2016-0797 09_CVE-2016-0798 10_CVE-2016-0799 11_CVE-2016-0800 OK - Jenkins OK - ucs-test-base OK - ucs-test-apache OK - openssl s_client -connect 443 636 993 OK - ldapsearch -ZZZ OK - certificate creation OK - openssl cert verify (openssl verify -CAfile /etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/master/cert.pem ) OK - ssl3 disabled (openssl s_client -connect hostname:443 -ssl3) OK - imap/smtp with tls (univention-mail-horde, horde login, horde mail) OK - libssl-dev OK - YAML
<http://errata.software-univention.de/ucs/4.1/139.html>