Your message dated Mon, 31 Aug 2015 09:20:16 +0000
with message-id <[email protected]>
and subject line Bug#797470: fixed in dnsval 2.0-2
has caused the Debian Bug report #797470,
regarding dnsval: val_dane_check: usage DANE-TA(2) may bypass cert validation
entirely
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
797470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797470
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dnsval
Version: 2.0-1.1
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
With the version 2.0 of the libval library, val_dane_check() completely fails
to verify the certificate and always returns a success status when used with
the DANE-TA(2) usage. An unsuspecting application using libval 2.0 could be
tricked into trusting any certificate that is provided.
For example, with the DNS record:
example.net. IN TLSA 2 0 1 aaaaa
val_dane_check() assumes that "aaaaa" is a valid DER-encoded certificate, and
passes it without validation to OpenSSL as a trusted anchor certificate. After
that, any certificate is accepted by SSL_get_verify_result() (as seen in
libval.c, lines 768 to 784).
Please note that I did not find any CVE nor upstream bug report regarding this
issue, and the library is still considered as experimental by its authors. The
bug has already been reported in May 2013 on the IETF DANE Working Group
mailing list by Viktor Dukhovni and acknowledged by Suresh Krishnaswamy
(libval's developper):
https://mailarchive.ietf.org/arch/msg/dane/QySBNeQevpD3gZCLJp1ohqPpaxc
I have only partially tested the version 2.1 of libval (which is in the
experimental depot), but could not reproduce the same issue. In addition, the
code was completely rewritten and the logical flow modified, so the 2.1 API is
incompatible with version 2.0.
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
--- End Message ---
--- Begin Message ---
Source: dnsval
Source-Version: 2.0-2
We believe that the bug you reported is fixed in the latest version of
dnsval, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <[email protected]> (supplier of updated dnsval package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 31 Aug 2015 10:58:49 +0200
Source: dnsval
Binary: libval-bin libval-dev libval14 libval-dbg
Architecture: source amd64
Version: 2.0-2
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <[email protected]>
Changed-By: Ondřej Surý <[email protected]>
Description:
libval-bin - DNSSEC validation library (programs)
libval-dbg - DNSSEC validation library (debug symbols)
libval-dev - DNSSEC validation library (development files)
libval14 - DNSSEC validation library (shared library)
Closes: 797470
Changes:
dnsval (2.0-2) unstable; urgency=high
.
* Disable DANE certificate usage 2 because it's not implemented
correctly (Closes: #797470)
Checksums-Sha1:
212572d90afad1b8c326c8bfc983187be8ac4afb 2127 dnsval_2.0-2.dsc
fb0781e66d311672b4256dfb8402668e5580ca55 4616 dnsval_2.0-2.debian.tar.xz
942d5474d2e157f3712d7905820bb1e65b31a539 118344 libval-bin_2.0-2_amd64.deb
28d99b22a5e155e2b98eb57505d36b9c3016ae69 501234 libval-dbg_2.0-2_amd64.deb
9cfa8d1161deb3f05773f7e7440ec3560ea2d39e 253370 libval-dev_2.0-2_amd64.deb
280ef42f43a41a6a4f3765c3808bae4ce8aaca6e 193174 libval14_2.0-2_amd64.deb
Checksums-Sha256:
1d7b66da75cd0e59066a9ebcfa540207d4c375a62766f14aeeca89e3a9d912fe 2127
dnsval_2.0-2.dsc
d5df9f6e6d022c004b96ec0c040fa6e93f09c63fc144cf123f17db41c57bd107 4616
dnsval_2.0-2.debian.tar.xz
6631ea21018a628559345f66751391dfe44e0f1e0c3deda7cb9826c9b5573ab5 118344
libval-bin_2.0-2_amd64.deb
caa8c9277936f020a707d43e2969e5d01219d24e51de364d698f83f4758ee782 501234
libval-dbg_2.0-2_amd64.deb
7ac78a7023e937e298d2c3aa395aabfc416a4da281485f756a5177ac0f6e7fad 253370
libval-dev_2.0-2_amd64.deb
c66a91614deef91f46e0dfea6cd9a7ef3e2c9ec4ad76bc436faadb58d5c3de62 193174
libval14_2.0-2_amd64.deb
Files:
195e08599995f4cf5b807f3bd5674983 2127 libs extra dnsval_2.0-2.dsc
04bc5da64967c029bd4beba52cdaec1c 4616 libs extra dnsval_2.0-2.debian.tar.xz
8ac0d180a5b74033f8d8477a5e0026b3 118344 admin extra libval-bin_2.0-2_amd64.deb
54aadc2ae52310c26eaf1acc6ebcf9e0 501234 debug extra libval-dbg_2.0-2_amd64.deb
ceda4a8b43a9cae7224b9d35cf4feebe 253370 libdevel extra
libval-dev_2.0-2_amd64.deb
e17952da11741e6ddc197e2f40ab7ad8 193174 libs extra libval14_2.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJV5BfMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsH/PcQAITBamOi7rXEgDrVQVyxB2DL
+FsDDSJo4f3cYV2ZQHi5MJKEjPVrsKV/S69MHMMTYFNignLAaz/v2Vk8mVhCY4pX
Dh3AN4HHc2foOdCdfz2+hPGv+Td1cfPZ8ylPQup5kiHVJpbO1QXUrzrIP5z5HghD
3kdmThkPNUCwQTZeGGELN/lAKCdNmtYh7kllNoavaNB4eCRocNn4FsXwGfVAHrDz
SeDVvYF8mQqO8D8kqiMQGzX32kVUDjFHAVROyHgYfOJ6krpGDSoLcb3QckSeF0Yj
XlljAjf8rHoa7EUsHeW26dUENHT6lihAfsvsmsNL3mJSrx60QlHPjjj833hs9RPs
8Mho6r5ff0pWydouAwFTkr9X5ttkxL9jDZTypg9toJJakgtM48R3wotI45JDWZ4E
oUe3EVZEIZzUSOJmYxdwIB8fNk4xUnjSCWrpr+y1gV408hiWhXat+DdAEV2bnYsK
VTKV8qzb/rfLqGYv8bZB2UuY5I2MZ4UxIAxIfM21BRs2tYWlNoJsicgZTEIkC0uJ
q8BiGmT8GuzMu8LZs+c5N64clW7y3G9VFHXDA1TWOf093/ymvj/kDpz9XDF10gK7
SiD+9Couhyr2GiSofgnTUVItPZBwyRJESi7FwbiPnCSM2KHqCdU9WtrfIJF3M5T/
eFR3pu+5DnoKh0N1jVW8
=lz+b
-----END PGP SIGNATURE-----
--- End Message ---