[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
Oh, indeed! > 1.0.2w moves the affected ciphersuites into the "weak-ssl-ciphers" list. [...] > This is unlikely to cause interoperability problems in most cases since use > of these ciphersuites is rare. Fair enough. Thank you for clarifying. (And apologies for this noise) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
It's not feasible to stop the affected ciphers from re-using secrets, it's in the specification. Removing the ciphers is what was done in later releases of openssl, including the 1.0.2w version that was released specifically to address this issue: https://www.openssl.org/news/secadv/20200909.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
Thank you very much for fixing swiftly! Please forgive me for pointing this out though: I note that rather than stopping the affected cipher suites from re- using secrets across connections, you chose to declare the suites as weak and disabled them altogether. I appreciate that this is an elegant way to close this vulnerability, in particular in the absence of an upstream patch. However, this solution introduces the risk that when trying to establish a connection with some legacy client or server, they can no longer agree on a shared cipher, and the TLS handshake fails. That is not in the spirit of a LTS, which is often elected and used precisely because it makes it easier to to support legacy products reliably. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
This has now been fixed: https://ubuntu.com/security/notices/USN-4504-1 ** Changed in: openssl (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
Alternatively, you could use one of the recommended TLS configurations from Mozilla, https://wiki.mozilla.org/Security/Server_Side_TLS which do not enable the unsafe cryptography suites. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
> "Please upgrade to bionic or focal?" Is this an official recommendation from Ubuntu, that users shall migrate off Xenial now, because of a security issue in a core library? And there I was, thinking we have until April 2021 ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
It is true that said vulnerability is not patched in xenial; but also it is low; and no public patches for it exist. Please upgrade to bionic or focal? which are unaffected / fixes released? ** Information type changed from Public to Public Security ** Also affects: openssl (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu Xenial) Status: New => Confirmed ** Changed in: openssl (Ubuntu) Status: New => Fix Released ** Changed in: openssl (Ubuntu Xenial) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1968 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
** Description changed: Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been - patched yet against the Racoon Attack (CVE-2020-1968): + patched yet against the Raccoon Attack (CVE-2020-1968): - https://www.openssl.org/news/secadv/20200909.txt - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968 - https://raccoon-attack.com/ Ubuntu's CVE tracker still lists this as NEEDED for Xenial: - https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1968.html - https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html - - Other supported Ubuntu releases use versions of OpenSSL that are not affected. - + Other supported Ubuntu releases use versions of OpenSSL that are not + affected. Indeed: - $ apt-cache policy openssl - openssl: - Installed: 1.0.2g-1ubuntu4.16 + $ apt-cache policy openssl + openssl: + Installed: 1.0.2g-1ubuntu4.16 - $ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched" - Not patched - + $ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched" + Not patched What is the status? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
