Bug 40189 – openssl: Denial of service (3.2)

Bug 40189 - openssl: Denial of service (3.2)


Summary:	openssl: Denial of service (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-8-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:	https://www.openssl.org/news/secadv/2...
Keywords:

Depends on:	40188
Blocks:
	Show dependency tree / graph

Reported:	2015-12-07 19:39 CET by Arvid Requate
Modified:	2016-03-30 13:30 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
CVE-2016-0800.patch (4.58 KB, patch) 2016-03-01 16:52 CET, Arvid Requate	Details \| Diff
CVE-2016-0798.patch (12.36 KB, patch) 2016-03-01 16:53 CET, Arvid Requate	Details \| Diff
CVE-2016-0797.patch (3.89 KB, patch) 2016-03-01 16:53 CET, Arvid Requate	Details \| Diff
CVE-2016-0799.patch (14.99 KB, patch) 2016-03-01 16:54 CET, Arvid Requate	Details \| Diff
CVE-2016-0702.patch (23.01 KB, patch) 2016-03-01 16:54 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-12-07 19:39:29 CET

Upstream Debian package version 0.9.8o-4squeeze22 fixes this issue:

* PKCS#7 and CMS routines: malformed X509_ATTRIBUTE structure OpenSSL will leak memory (CVE-2015-3195)

Comment 1 Arvid Requate

2016-02-22 12:32:47 CET

Upstream Debian package version 0.9.8o-4squeeze23 fixes this issue:

* A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2 (CVE-2015-3197)

* Additionally, when using a DHE cipher suite a new DH key will always be
generated for each connection.

Comment 2 Arvid Requate

2016-03-01 15:16:20 CET

The following new issues have been identified
(see https://www.openssl.org/news/secadv/20160301.txt):

* Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
* Memory leak in SRP database lookups (CVE-2016-0798)
* BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
* Memory issues in BIO_*printf functions (CVE-2016-0799)
* Side channel attack on modular exponentiation (CVE-2016-0702)
* Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
* Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

Comment 3 Arvid Requate

2016-03-01 16:41:39 CET

Please note that CVE-2016-0703, CVE-2016-0704 and CVE-2016-0800 exploit SSLv2.

By default UCS 3.2 univention-apache disables SSLv2 (Bug 36173#c5, UCS 3.2 erratum 225) as well as export-grade ciphers (Bug 38632, UCS 3.2 erratum 345).

An univention-mail-postfix configuration disabling SSLv2 is available in errata 4.0-1 (Bug 38044).

Comment 4 Arvid Requate

2016-03-01 16:52:23 CET

Created attachment 7509 [details]
CVE-2016-0800.patch

Comment 5 Arvid Requate

2016-03-01 16:53:08 CET

Created attachment 7510 [details]
CVE-2016-0798.patch

Comment 6 Arvid Requate

2016-03-01 16:53:43 CET

Created attachment 7511 [details]
CVE-2016-0797.patch

Comment 7 Arvid Requate

2016-03-01 16:54:07 CET

Created attachment 7512 [details]
CVE-2016-0799.patch

Comment 8 Arvid Requate

2016-03-01 16:54:36 CET

Created attachment 7513 [details]
CVE-2016-0702.patch

Comment 9 Arvid Requate

2016-03-16 20:23:56 CET

I imported the latest squeeze-lts version and added patches for CVE-2016-0797 CVE-2016-0799 and CVE-2016-0800. The first two are from the wheezy package and the last one is taken from https://git.openssl.org/?p=openssl.git;a=commitdiff;h=56f1acf5ef8a432992497a04792ff4b3b2c6f286 . I compared the patch to what CentOS and RHEL6 did.

Backporting CVE-2016-0702 is too hard (non-applicable assembler patches) and CVE-2016-0703 as well as CVE-2016-0704 should be mitigated by the patch for CVE-2016-0800. This also matches the response of CentOS / RHEL.

Advisory: openssl.yaml

Comment 10 Felix Botner

2016-03-18 12:51:42 CET

amd64/i396

OK - built with patches (CVE-2015-3195, CVE-2015-3197, CVE-2016-0797, 
     CVE-2016-0799, CVE-2016-0800)

OK - ucs-test-base
OK - ucs-test-apache (from 4.1)

OK - openssl s_client -connect 443 636 993 
OK - ldapsearch -ZZZ
OK - certificate creation
OK - openssl cert verify (openssl verify -CAfile 
     /etc/univention/ssl/ucsCA/CAcert.pem 
     /etc/univention/ssl/master/cert.pem )
OK - ssl2 disabled (openssl s_client -connect hostname:443 -ssl2)
OK - imap/smtp with tls (univention-mail-horde, horde login, horde mail)
OK - libssl-dev

OK - YAML

Comment 11 Janek Walkenhorst

2016-03-30 13:30:25 CEST

<http://errata.software-univention.de/ucs/3.2/410.html>