Debian Bug report logs -
#684527
openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Reported by: Arne Wichmann <aw@linux.de>
Date: Fri, 10 Aug 2012 19:15:02 UTC
Severity: grave
Tags: security
Found in version openssl/0.9.8o-4squeeze13
Done: Kurt Roeckx <kurt@roeckx.be>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#684527
; Package openssl
.
(Fri, 10 Aug 2012 19:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Arne Wichmann <aw@linux.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Fri, 10 Aug 2012 19:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssl
Version: 0.9.8o-4squeeze13
Severity: grave
Tags: security
Justification: user security hole
openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
As far as I can see the problem is gone in 1.0.1c - but I leave this bug
open for unstable/testing so that it can be doublechecked by someone more
versed in openssl.
[1] http://security-tracker.debian.org/tracker/CVE-2011-5095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095
[2] http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5095.html
[3] http://cvs.openssl.org/chngview?cn=14375
cu
AW
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-33
ii libssl1.0.0 1.0.1c-3
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20120623
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#684527
; Package openssl
.
(Fri, 10 Aug 2012 20:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Fri, 10 Aug 2012 20:33:05 GMT) (full text, mbox, link).
Message #10 received at 684527@bugs.debian.org (full text, mbox, reply):
On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote:
> Package: openssl
> Version: 0.9.8o-4squeeze13
> Severity: grave
> Tags: security
> Justification: user security hole
>
> openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
> CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
> seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
> crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
This doesn't make any sense at all. This is a bug fixed in 0.9.8a
in 2005.
It only seem to be relavant for the fips version, which we never
had. Unless someone can tell me why you think this affects
anything in Debian, I'm just going to close it.
Kurt
> As far as I can see the problem is gone in 1.0.1c - but I leave this bug
> open for unstable/testing so that it can be doublechecked by someone more
> versed in openssl.
This doesn't make sense at all. You file it against the version
in stable, but the version tracking will say this only affects
stable because the version in testing/unstable is not based on
the version in stable, they split at 0.9.8o-4. If you want to
have this bug affect all versions you should have filed this
against the 0.9.8o-4 version.
Also, everything seems to indicate that 1.0 isn't affected at all.
Kurt
Reply sent
to Kurt Roeckx <kurt@roeckx.be>
:
You have taken responsibility.
(Sun, 12 Aug 2012 11:03:03 GMT) (full text, mbox, link).
Notification sent
to Arne Wichmann <aw@linux.de>
:
Bug acknowledged by developer.
(Sun, 12 Aug 2012 11:03:03 GMT) (full text, mbox, link).
Message #15 received at 684527-done@bugs.debian.org (full text, mbox, reply):
On Fri, Aug 10, 2012 at 10:24:54PM +0200, Kurt Roeckx wrote:
> On Fri, Aug 10, 2012 at 09:12:14PM +0200, Arne Wichmann wrote:
> > Package: openssl
> > Version: 0.9.8o-4squeeze13
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to
> > CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem
> > seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in
> > crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3].
>
> This doesn't make any sense at all. This is a bug fixed in 0.9.8a
> in 2005.
>
> It only seem to be relavant for the fips version, which we never
> had. Unless someone can tell me why you think this affects
> anything in Debian, I'm just going to close it.
So closing it.
Kurt
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 10 Sep 2012 07:25:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:49:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.