Debian Bug report logs -
#483379
openssl: CVE-2008-1672, CVE-2008-0891 multiple security issues
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 28 May 2008 14:51:01 UTC
Severity: grave
Tags: security
Found in version openssl/0.9.8f-1
Fixed in version openssl/0.9.8g-10.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#483379; Package openssl.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openssl
Version: 0.9.8f-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openssl.
CVE-2008-0891[0]:
| OpenSSL Server Name extension crash
|
| Testing using the Codenomicon TLS test suite discovered a flaw in the
| handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
| 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
| name extensions, a remote attacker could send a carefully crafted
| packet to a server application using OpenSSL and cause a crash.
CVE-2008-1672[1]:
| OpenSSL Omit Server Key Exchange message crash
|
| Testing using the Codenomicon TLS test suite discovered a flaw if the
| 'Server Key exchange message' is omitted from a TLS handshake in
| OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
| malicious server with particular cipher suites, the server could cause
| the client to crash.
Please not that these discriptions are not yet published on the mitre site.
Check out http://www.openssl.org/news/secadv_20080528.txt in the meantime.
Patches for both issues are attached.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891
http://security-tracker.debian.net/tracker/CVE-2008-0891
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672
http://security-tracker.debian.net/tracker/CVE-2008-1672
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2008-0891.patch (text/x-diff, attachment)]
[CVE-2008-1672.patch (text/x-diff, attachment)]
[Message part 4 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#483379; Package openssl.
(full text, mbox, link).
Acknowledgement sent to Christoph Martin <martin@uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 483379@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Niko,
Nico Golde schrieb:
> Package: openssl
> Version: 0.9.8f-1
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
>
> CVE-2008-0891[0]:
> | OpenSSL Server Name extension crash
> |
> | Testing using the Codenomicon TLS test suite discovered a flaw in the
> | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
> | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
> | name extensions, a remote attacker could send a carefully crafted
> | packet to a server application using OpenSSL and cause a crash.
This one does not affect the current Debian version, since it is not
compiled with the tlsext option.
>
> CVE-2008-1672[1]:
> | OpenSSL Omit Server Key Exchange message crash
> |
> | Testing using the Codenomicon TLS test suite discovered a flaw if the
> | 'Server Key exchange message' is omitted from a TLS handshake in
> | OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
> | malicious server with particular cipher suites, the server could cause
> | the client to crash.
>
Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: Christoph.Martin@Verwaltung.Uni-Mainz.DE
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
[signature.asc (application/pgp-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#483379; Package openssl.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 483379@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Christoph,
* Christoph Martin <martin@uni-mainz.de> [2008-05-28 17:13]:
> Nico Golde schrieb:
> > Package: openssl
> > Version: 0.9.8f-1
> > Severity: grave
> > Tags: security
[...]
> > | Testing using the Codenomicon TLS test suite discovered a flaw in the
> > | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
> > | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
> > | name extensions, a remote attacker could send a carefully crafted
> > | packet to a server application using OpenSSL and cause a crash.
>
> This one does not affect the current Debian version, since it is not
> compiled with the tlsext option.
Did you miss:
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext
^^^^^^^^^^^^
?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#483379; Package openssl.
(full text, mbox, link).
Acknowledgement sent to Christoph Martin <martin@uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #20 received at 483379@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Nico Golde schrieb:
> Hi Christoph,
> * Christoph Martin <martin@uni-mainz.de> [2008-05-28 17:13]:
>> Nico Golde schrieb:
>>> Package: openssl
>>> Version: 0.9.8f-1
>>> Severity: grave
>>> Tags: security
> [...]
>>> | Testing using the Codenomicon TLS test suite discovered a flaw in the
>>> | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
>>> | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
>>> | name extensions, a remote attacker could send a carefully crafted
>>> | packet to a server application using OpenSSL and cause a crash.
>> This one does not affect the current Debian version, since it is not
>> compiled with the tlsext option.
>
> Did you miss:
> CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext
> ^^^^^^^^^^^^
Sorry. You are right. I stand corrected.
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: Christoph.Martin@Verwaltung.Uni-Mainz.DE
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
[signature.asc (application/pgp-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#483379; Package openssl.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #25 received at 483379@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Kurt,
as discussed in #debian-security I will upload an NMU to fix
this. debdiff attached and also archived on:
http://people.debian.org/~nion/nmu-diff/openssl-0.9.8g-10_0.9.8g-10.1.patch
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[openssl-0.9.8g-10_0.9.8g-10.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 483379-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 0.9.8g-10.1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8g-10.1_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1_amd64.udeb
libssl-dev_0.9.8g-10.1_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8g-10.1_amd64.deb
libssl0.9.8-dbg_0.9.8g-10.1_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1_amd64.deb
libssl0.9.8_0.9.8g-10.1_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1_amd64.deb
openssl_0.9.8g-10.1.diff.gz
to pool/main/o/openssl/openssl_0.9.8g-10.1.diff.gz
openssl_0.9.8g-10.1.dsc
to pool/main/o/openssl/openssl_0.9.8g-10.1.dsc
openssl_0.9.8g-10.1_amd64.deb
to pool/main/o/openssl/openssl_0.9.8g-10.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 483379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 27 May 2008 11:13:44 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-10.1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 483379 483379
Changes:
openssl (0.9.8g-10.1) unstable; urgency=high
.
* Non-maintainer upload by the Security team.
* Fix denial of service if the 'Server Key exchange message'
is omitted from a TLS handshake which could lead to a client
crash (CVE-2008-1672; Closes: #483379).
This only works if openssl is compiled with enable-tlsext which is
done in Debian.
* Fix double free in TLS server name extension which leads to a remote
denial of service (CVE-2008-0891; Closes: #483379).
Checksums-Sha1:
3f53fca87243ff7f1ec1392779c9a933d9254b83 1193 openssl_0.9.8g-10.1.dsc
6ae4560a758010d46b0a4256e17c0582dfda0666 52923 openssl_0.9.8g-10.1.diff.gz
8a25ad165246487f5650153078f9b2ae456351be 1031246 openssl_0.9.8g-10.1_amd64.deb
1f2c0c7f760529545007a7005963ea387213053b 951154 libssl0.9.8_0.9.8g-10.1_amd64.deb
3cffda31eaab4829a0b72428357fea3b14a785d5 617266 libcrypto0.9.8-udeb_0.9.8g-10.1_amd64.udeb
77b4edd39a7f2f49837399003df1451cb19e1e05 2220612 libssl-dev_0.9.8g-10.1_amd64.deb
efac21bb7f183b5252b15a5ab7da66abdf3ddb71 1612692 libssl0.9.8-dbg_0.9.8g-10.1_amd64.deb
Checksums-Sha256:
c1227969267fec3e72b77a7fba9fbb7e355cb9c1a652bc0f7515f55c8b20a518 1193 openssl_0.9.8g-10.1.dsc
ddde2ba28e940fbe99d98772f2ca1c425f1e73978e5f150939d560bea2ad040b 52923 openssl_0.9.8g-10.1.diff.gz
5816544ad6197f75d2b2a97ff1104f60730653de04ad8ce43c8d34ae1f54909b 1031246 openssl_0.9.8g-10.1_amd64.deb
2429626d9ca433e01001345c125d9244806eb8cc431015a4d6196e50dd337ae8 951154 libssl0.9.8_0.9.8g-10.1_amd64.deb
6054a80cc17b823a9039f24838301d84d6103da6b42cc59c2180608a6b89251b 617266 libcrypto0.9.8-udeb_0.9.8g-10.1_amd64.udeb
9183fda17e83a635192e4eb9f32664a0af8b0948e00ef9cdc375049504b58de8 2220612 libssl-dev_0.9.8g-10.1_amd64.deb
c47e2225740b98c821a646cc3ea42bace39a6770237492b5589459e3e86381f5 1612692 libssl0.9.8-dbg_0.9.8g-10.1_amd64.deb
Files:
aa39077a394b8a2703c4460187e877c9 1193 utils optional openssl_0.9.8g-10.1.dsc
d3afc44792abe1fbbf8281ffa6fbcbce 52923 utils optional openssl_0.9.8g-10.1.diff.gz
4c766c8c8134eee816435e12d6f15040 1031246 utils optional openssl_0.9.8g-10.1_amd64.deb
212f823095a2639b1baf1dc5278cad4d 951154 libs important libssl0.9.8_0.9.8g-10.1_amd64.deb
29bdc341387b0db7ae172fff19cff6ab 617266 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-10.1_amd64.udeb
7003c933b093cb4be19294d96e1e81fc 2220612 libdevel optional libssl-dev_0.9.8g-10.1_amd64.deb
952d370d39d68d01f7d042b50729f92b 1612692 libdevel extra libssl0.9.8-dbg_0.9.8g-10.1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIPaPEHYflSXNkfP8RAi5TAJ4pcyvUA/ZIlJ8JnBAst8xiB1e5zACeNK4G
aGjzEJILiURSGdXH3of3CC0=
=RlEF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 10 Jul 2008 07:43:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:32:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon