Your message dated Thu, 5 May 2016 16:43:22 +0200
with message-id <[email protected]>
and subject line Re: Bug#774299: wheezy-pu: openssl: disable SSLv3 by default
has caused the Debian Bug report #774299,
regarding wheezy-pu: openssl: disable SSLv3 by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774299: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774299
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Hi,
I would like to disable SSLv3 by default in wheezy. Attached is a
debdiff.
Kurt
diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
--- openssl-1.0.1e/debian/changelog 2014-10-15 19:45:48.000000000 +0200
+++ openssl-1.0.1e/debian/changelog 2014-12-31 13:46:02.000000000 +0100
@@ -1,3 +1,15 @@
+openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
+
+ * Disable SSLv3 by default. It can be enabled again by calling
+ SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3.
+ It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the
+ environment to anything.
+ This fixes the POODLE issue (CVE-2014-3566).
+ * Fix CVE-2014-3569. We're not affected by it since we don't build with
+ the no-ssl3 option (yet).
+
+ -- Kurt Roeckx <[email protected]> Wed, 31 Dec 2014 13:45:07 +0100
+
openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
* Fixes CVE-2014-3513
diff -Nru openssl-1.0.1e/debian/patches/disable_sslv3.patch openssl-1.0.1e/debian/patches/disable_sslv3.patch
--- openssl-1.0.1e/debian/patches/disable_sslv3.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/disable_sslv3.patch 2014-12-31 13:41:07.000000000 +0100
@@ -0,0 +1,14 @@
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index d09bb7d..bc3cbc7 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2060,6 +2060,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+ */
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+
++ if (getenv("OPENSSL_ALLOW_SSLv3") == NULL)
++ ret->options |= SSL_OP_NO_SSLv3;
++
+ return(ret);
+ err:
+ SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
diff -Nru openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch
--- openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch 2014-12-31 13:44:16.000000000 +0100
@@ -0,0 +1,44 @@
+From 392fa7a952e97d82eac6958c81ed1e256e6b8ca5 Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <[email protected]>
+Date: Tue, 21 Oct 2014 20:45:15 +0200
+Subject: [PATCH] Keep old method in case of an unsupported protocol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
+the method to NULL. We didn't used to do that, and it breaks things. This is a
+regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old
+method since the code is not able to deal with a NULL method at this time.
+
+CVE-2014-3569, PR#3571
+
+Reviewed-by: Emilia Käsper <[email protected]>
+---
+ ssl/s23_srvr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 38960ba..858420d 100644
+--- a/ssl/s23_srvr.c
++++ b/ssl/s23_srvr.c
+@@ -615,12 +615,14 @@ int ssl23_get_client_hello(SSL *s)
+ if ((type == 2) || (type == 3))
+ {
+ /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+- s->method = ssl23_get_server_method(s->version);
+- if (s->method == NULL)
++ const SSL_METHOD *new_method;
++ new_method = ssl23_get_server_method(s->version);
++ if (new_method == NULL)
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+ }
++ s->method = new_method;
+
+ if (!ssl_init_wbio_buffer(s,1)) goto err;
+
+--
+2.1.4
+
diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series
--- openssl-1.0.1e/debian/patches/series 2014-10-15 19:30:33.000000000 +0200
+++ openssl-1.0.1e/debian/patches/series 2014-12-31 13:45:00.000000000 +0100
@@ -72,4 +72,5 @@
Fix-for-SRTP-Memory-Leak.patch
Fix-for-session-tickets-memory-leak.patch
Fix-no-ssl3-configuration-option.patch
-
+disable_sslv3.patch
+Keep-old-method-in-case-of-an-unsupported-protocol.patch
--- End Message ---
--- Begin Message ---
On Sat, Aug 29, 2015 at 17:19:59 +0200, Julien Cristau wrote:
> On Wed, Dec 31, 2014 at 13:52:54 +0100, Kurt Roeckx wrote:
>
> > I would like to disable SSLv3 by default in wheezy. Attached is a
> > debdiff.
> >
> >
> > Kurt
> >
>
> > diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
> > --- openssl-1.0.1e/debian/changelog 2014-10-15 19:45:48.000000000 +0200
> > +++ openssl-1.0.1e/debian/changelog 2014-12-31 13:46:02.000000000 +0100
> > @@ -1,3 +1,15 @@
> > +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
> > +
> > + * Disable SSLv3 by default. It can be enabled again by calling
> > + SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3.
> > + It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the
> > + environment to anything.
> > + This fixes the POODLE issue (CVE-2014-3566).
> > + * Fix CVE-2014-3569. We're not affected by it since we don't build with
> > + the no-ssl3 option (yet).
> > +
> > + -- Kurt Roeckx <[email protected]> Wed, 31 Dec 2014 13:45:07 +0100
> > +
> > openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
> >
> > * Fixes CVE-2014-3513
>
> I'm ok with this in principle; the OPENSSL_ALLOW_SSLv3 environment
> variable really ought to be documented though, at least in a
> NEWS.Debian for libssl1.0.0.
>
wheezy is EOL now, so any further updates will go through LTS rather
than proposed-updates. Closing.
Cheers,
Julien
signature.asc
Description: PGP signature
--- End Message ---
