Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value

Related Vulnerabilities: CVE-2011-5095  

Source

Debian Bug report logs - #684527
openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl (PTS, buildd, popcon).

Reported by: Arne Wichmann <aw@linux.de>

Date: Fri, 10 Aug 2012 19:15:02 UTC

Severity: grave

Tags: security

Found in version openssl/0.9.8o-4squeeze13

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#684527; Package openssl. (Fri, 10 Aug 2012 19:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Arne Wichmann <aw@linux.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 10 Aug 2012 19:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@linux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Date: Fri, 10 Aug 2012 21:12:14 +0200
Package: openssl
Version: 0.9.8o-4squeeze13
Severity: grave
Tags: security
Justification: user security hole

openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].

As far as I can see the problem is gone in 1.0.1c - but I leave this bug
open for unstable/testing so that it can be doublechecked by someone more
versed in openssl.

[1] http://security-tracker.debian.org/tracker/CVE-2011-5095
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095
[2] http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5095.html
[3] http://cvs.openssl.org/chngview?cn=14375

cu

AW

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.13-33
ii  libssl1.0.0  1.0.1c-3
ii  zlib1g       1:1.2.7.dfsg-13

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20120623

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#684527; Package openssl. (Fri, 10 Aug 2012 20:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 10 Aug 2012 20:33:05 GMT) (full text, mbox, link).

Message #10 received at 684527@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: Arne Wichmann <aw@linux.de>, 684527@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#684527: openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Date: Fri, 10 Aug 2012 22:24:54 +0200
On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote:
> Package: openssl
> Version: 0.9.8o-4squeeze13
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
> CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
> seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
> crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].

This doesn't make any sense at all.  This is a bug fixed in 0.9.8a
in 2005.

It only seem to be relavant for the fips version, which we never
had.  Unless someone can tell me why you think this affects
anything in Debian, I'm just going to close it.


Kurt

> As far as I can see the problem is gone in 1.0.1c - but I leave this bug
> open for unstable/testing so that it can be doublechecked by someone more
> versed in openssl.

This doesn't make sense at all.  You file it against the version
in stable, but the version tracking will say this only affects
stable because the version in testing/unstable is not based on
the version in stable, they split at 0.9.8o-4.  If you want to
have this bug affect all versions you should have filed this
against the 0.9.8o-4 version.

Also, everything seems to indicate that 1.0 isn't affected at all.


Kurt

Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Sun, 12 Aug 2012 11:03:03 GMT) (full text, mbox, link).

Notification sent to Arne Wichmann <aw@linux.de>:
Bug acknowledged by developer. (Sun, 12 Aug 2012 11:03:03 GMT) (full text, mbox, link).

Message #15 received at 684527-done@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: 684527-done@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#684527: Bug#684527: openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Date: Sun, 12 Aug 2012 12:54:20 +0200
On Fri, Aug 10, 2012 at 10:24:54PM +0200, Kurt Roeckx wrote:
> On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote:
> > Package: openssl
> > Version: 0.9.8o-4squeeze13
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
> > CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
> > seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
> > crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
> 
> This doesn't make any sense at all.  This is a bug fixed in 0.9.8a
> in 2005.
> 
> It only seem to be relavant for the fips version, which we never
> had.  Unless someone can tell me why you think this affects
> anything in Debian, I'm just going to close it.

So closing it.


Kurt

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Sep 2012 07:25:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:49:11 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started