[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781965: marked as done (wheezy-pu: package ircd-hybrid/1:7.2.2.dfsg.2-10)

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #781965,
regarding wheezy-pu: package ircd-hybrid/1:7.2.2.dfsg.2-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781965
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

As per #779082, ircd-hybrid in wheezy (when recompiled to support
SSL) currently listens on SSLv3, which could be exposing a risk of a
POODLE attack.

The patch to disable SSLv3 is simple, and I've attached a tested package
diff. The Debian security team treats this as a no-dsa issue.

Please let me know if it's okay to upload.

Thanks,
Dominic.

-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

diff --git a/debian/changelog b/debian/changelog
index eeaac9d..8d038f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ircd-hybrid (1:7.2.2.dfsg.2-10+deb7u1) stable; urgency=medium
+
+  * Disable SSLv3 to mitigate against the POODLE vulnerability
+    (Closes: #767026)
+
+ -- Dominic Hargreaves <dom@earth.li>  Sun, 05 Apr 2015 18:33:33 +0100
+
 ircd-hybrid (1:7.2.2.dfsg.2-10) unstable; urgency=high
 
   * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask()
diff --git a/debian/patches/00list b/debian/patches/00list
index 0bae9d0..a358c33 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -20,4 +20,5 @@
 21-dpkg-buildflags
 22-getopt.dpatch
 23-netmask-dos.dpatch
+24-disable-sslv3.dpatch
 98_patchlevel_debian
diff --git a/debian/patches/24-disable-sslv3.dpatch b/debian/patches/24-disable-sslv3.dpatch
new file mode 100755
index 0000000..78427f9
--- /dev/null
+++ b/debian/patches/24-disable-sslv3.dpatch
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 24-disable-sslv3.dpatch by Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+##
+## DP: Disable SSLv3 to mitigate against the POODLE attack
+##
+## All lines beginning with `## DP:' are a description of the patch.
+
+diff --git a/src/ircd.c b/src/ircd.c
+--- a/src/ircd.c
++++ b/src/ircd.c
+@@ -512,7 +512,7 @@ init_ssl(void)
+     ilog(L_CRIT, "ERROR: Could not initialize the SSL context -- %s\n", s);
+   }
+ 
+-  SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2);
++  SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+   SSL_CTX_set_options(ServerInfo.ctx, SSL_OP_TLS_ROLLBACK_BUG|SSL_OP_ALL);
+   SSL_CTX_set_verify(ServerInfo.ctx, SSL_VERIFY_NONE, NULL);
+ 
+-- 
+1.7.10.4
+
+
+Sebastian
+

--- End Message ---
--- Begin Message --- 
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---
Reply to: