CVE-2009-138{6,7}: Two OpenSSL DTLS remote DoS

Debian Bug report logs - #532037
CVE-2009-138{6,7}: Two OpenSSL DTLS remote DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-138{6,7}: Two OpenSSL DTLS remote DoS

Date: Sat, 06 Jun 2009 00:10:53 +0200

Package: openssl
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openssl.

CVE-2009-1386[0]:
| ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
| a denial of service (NULL pointer dereference and daemon crash) via a
| DTLS ChangeCipherSpec packet that occurs before ClientHello.

CVE-2009-1387[1]:
| The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
| OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
| of service (NULL pointer dereference and daemon crash) via an
| out-of-sequence DTLS handshake message, related to a "fragment bug."

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
    http://security-tracker.debian.net/tracker/CVE-2009-1386
    http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
    http://cvs.openssl.org/chngview?cn=17369
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
    http://security-tracker.debian.net/tracker/CVE-2009-1387
    http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
    http://cvs.openssl.org/chngview?cn=17958



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkopl+kACgkQNxpp46476apHCwCgkOZVb6btWoJtE+xgbtiKfefF
U2kAn3B3ScTrmgrx8Px6WAJAx2AQ0aep
=vFTu
-----END PGP SIGNATURE-----

Message #10 received at 532037@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Giuseppe Iuculano <giuseppe@iuculano.it>, 532037@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#532037: CVE-2009-138{6, 7}: Two OpenSSL DTLS remote DoS

Date: Mon, 8 Jun 2009 19:22:05 +0200

On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> Package: openssl
> Severity: serious
> Tags: security
> 
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
> 
> CVE-2009-1386[0]:
> | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> | a denial of service (NULL pointer dereference and daemon crash) via a
> | DTLS ChangeCipherSpec packet that occurs before ClientHello.

So this is already fixed in unstable, but not in
testing/stable/oldstable.

Since this seems to be DTLS related, this doesn't affect
openssl097.

> CVE-2009-1387[1]:
> | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> | of service (NULL pointer dereference and daemon crash) via an
> | out-of-sequence DTLS handshake message, related to a "fragment bug."

I'll upload this to unstable, and provided fixed packages
for stable/oldstable for both issues.


Kurt

Message #15 received at 532037-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 532037-close@bugs.debian.org

Subject: Bug#532037: fixed in openssl 0.9.8k-2

Date: Mon, 08 Jun 2009 17:47:15 +0000

Source: openssl
Source-Version: 0.9.8k-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
libssl-dev_0.9.8k-2_amd64.deb
  to pool/main/o/openssl/libssl-dev_0.9.8k-2_amd64.deb
libssl0.9.8-dbg_0.9.8k-2_amd64.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-2_amd64.deb
libssl0.9.8_0.9.8k-2_amd64.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8k-2_amd64.deb
openssl_0.9.8k-2.diff.gz
  to pool/main/o/openssl/openssl_0.9.8k-2.diff.gz
openssl_0.9.8k-2.dsc
  to pool/main/o/openssl/openssl_0.9.8k-2.dsc
openssl_0.9.8k-2_amd64.deb
  to pool/main/o/openssl/openssl_0.9.8k-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 532037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Jun 2009 19:05:56 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-2
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 532037 532336
Changes: 
 openssl (0.9.8k-2) unstable; urgency=low
 .
   * Move libssl0.9.8-dbg to the debug section.
   * Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
   * Split the line to generate md5-x86_64.s in the Makefile.  This will
     hopefully fix the build issue on kfreebsd that now outputs the file
     to stdout instead of the file.
   * Fix denial of service via an out-of-sequence DTLS handshake message
     (CVE-2009-1387) (Closes: #532037)
Checksums-Sha1: 
 8732d3af3c5126db11e3b9f824e26f17b343e8b0 1940 openssl_0.9.8k-2.dsc
 796d7595eb79c24e37efa8576ee91c716d575f34 56115 openssl_0.9.8k-2.diff.gz
 8c0b5e3173159bf351dfe541e3e6b6e6d5ed816f 1050408 openssl_0.9.8k-2_amd64.deb
 a777aa9ac2b50b23f73484e4129a55c9b7f089bb 982468 libssl0.9.8_0.9.8k-2_amd64.deb
 24aa0ebb24e91c64a767b99dfe31f9578b52a959 638594 libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
 e46edba6253c91f46c050ae90308b91cdca1fbc3 2267228 libssl-dev_0.9.8k-2_amd64.deb
 2f9f205d76d418d4c10bcb09bbeac851aa36b0fe 1630962 libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Checksums-Sha256: 
 fa0bc5dbd61df708cbabde9d09efa56d031535a0e95301cfcc055a71bfb1ca4a 1940 openssl_0.9.8k-2.dsc
 2ac28c478969a94917ad5ccdc0d0dfee70fc059d3d96950714d5f94c05b75301 56115 openssl_0.9.8k-2.diff.gz
 bf72e80feae96b94c24ff87964ce0e9f96556dc5e5442b56bec21c2b53122e73 1050408 openssl_0.9.8k-2_amd64.deb
 f8669cc029f35834a8afba1bba8146898e9457b5a69cb395d54c587d6e16149d 982468 libssl0.9.8_0.9.8k-2_amd64.deb
 10c84d92dc32baaeb45bc9c46ca212a747875d40371c63f26f5aca17628e53b0 638594 libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
 f0203c55550f59f79d53768917ae7e073470a14fcd6f4b9e2a8b8dee808a3020 2267228 libssl-dev_0.9.8k-2_amd64.deb
 050b1174b8074cbc4e2642670ad07d6e786dd2d0c357317b6902f8a0c935b381 1630962 libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Files: 
 35b916ab660bddb81608b8adc4fc57d3 1940 utils optional openssl_0.9.8k-2.dsc
 b5488d61516de26b438bd5b4408b1ba6 56115 utils optional openssl_0.9.8k-2.diff.gz
 b95c88b5301a188d8aa3f9812ad9b336 1050408 utils optional openssl_0.9.8k-2_amd64.deb
 0854251370131c5e3d8c1719ac8cf79f 982468 libs important libssl0.9.8_0.9.8k-2_amd64.deb
 4b279f2efae9b685e3451c0e0d1613b3 638594 debian-installer optional libcrypto0.9.8-udeb_0.9.8k-2_amd64.udeb
 0fa4d7dd3d15868a87d4ded40af62f9d 2267228 libdevel optional libssl-dev_0.9.8k-2_amd64.deb
 87a225d0cb82621f14c8d495bf32e95c 1630962 debug extra libssl0.9.8-dbg_0.9.8k-2_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCgAGBQJKLUwUAAoJEGpMZM6DE7Xwj/kP/1+8IE7wBVTbMXYiJL43pvyj
zLlYefQ6nfqBmD6mK0DCUJafuYPoxn1mDSpbqDviNXD1CnkxrH3yAJR3sKRLPjMO
0oHmBG42iJkMKI8u2XIW5PVtUdxWE1re1X0KdE8OHNMmNdSjSBBivj6rgez19jd4
qKS1XZeXMDZd4jP+qDCBPC1dt/v26AhF6E1+51PDyebBHuJTGAtlWsLms5Hpqbvz
4RE5R5XJAvrlZSq/rz4L92mwOACXfjCEuFPiLQTLA7kIiQTdbE4Ee+YkaqXABBdR
tSsPHQBLj0Nxb6oSEQxQSmmH+hzIkURGJKbTz3ubs+f2lRZFB0pFZpzngV0WZD9K
7AkiFVmvsPOsnqFmCyavZdIEoUk/5nC48k6cqys9XCXsgC96ayeM0c44c5h9Ok2I
L02SYAoihkxf0EhxP2cqlfuwuViEw9fPKyQ3JsbwjgZjim7HUB0Kwu3QBWT7bO4i
x9zPqJBgvEBmspN2l6/KBcD0+nbZzdL1OKmcUrkUby9YhSrStxwmGKIJ5pIIZndn
DyK727azMkfyASLSsmjuNT9RT8MgSpz5mVy3ZZPi+MK1BVtLP9n6FbcoEFhByOi6
5ymGUmayCjZa+LaxeeuaMbJQ/ZupSTkFdZg3v0E6FDQyb+PzaBmq1Io7B/S7/qXe
bqU9IK75mdEPpz7eYm/A
=CBHb
-----END PGP SIGNATURE-----

Message #20 received at 532037@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: team@security.debian.org

Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, 532037@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#532037: CVE-2009-138{6, 7}: Two OpenSSL DTLS remote DoS

Date: Mon, 8 Jun 2009 20:57:20 +0200

On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> Package: openssl
> Severity: serious
> Tags: security
> 
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for openssl.
> 
> CVE-2009-1386[0]:
> | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> | a denial of service (NULL pointer dereference and daemon crash) via a
> | DTLS ChangeCipherSpec packet that occurs before ClientHello.
> 
> CVE-2009-1387[1]:
> | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> | of service (NULL pointer dereference and daemon crash) via an
> | out-of-sequence DTLS handshake message, related to a "fragment bug."

Packages for stable and olstable are available at:
http://people.debian.org/~kroeckx/openssl/

Note that the issues fixed in previous versions were never
uploaded to the security archive, so both fix 5 CVEs.


Kurt

Message #25 received at 532037@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: team@security.debian.org

Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, 532037@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#532037: CVE-2009-138{6, 7}: Two OpenSSL DTLS remote DoS

Date: Fri, 19 Jun 2009 00:47:53 +0200

On Mon, Jun 08, 2009 at 08:57:20PM +0200, Kurt Roeckx wrote:
> On Sat, Jun 06, 2009 at 12:10:53AM +0200, Giuseppe Iuculano wrote:
> > Package: openssl
> > Severity: serious
> > Tags: security
> > 
> > 
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for openssl.
> > 
> > CVE-2009-1386[0]:
> > | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause
> > | a denial of service (NULL pointer dereference and daemon crash) via a
> > | DTLS ChangeCipherSpec packet that occurs before ClientHello.
> > 
> > CVE-2009-1387[1]:
> > | The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
> > | OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
> > | of service (NULL pointer dereference and daemon crash) via an
> > | out-of-sequence DTLS handshake message, related to a "fragment bug."
> 
> Packages for stable and olstable are available at:
> http://people.debian.org/~kroeckx/openssl/
> 
> Note that the issues fixed in previous versions were never
> uploaded to the security archive, so both fix 5 CVEs.

Hi,

Nothing happened with this yet.  Are you planning on releasing a
DSA for this, or should I just upload them to proposed-updates
instead?


Kurt

Send a report that this bug log contains spam.