Your message dated Thu, 5 May 2016 16:43:22 +0200 with message-id <20160505144322.GZ2718@betterave.cristau.org> and subject line Re: Bug#774299: wheezy-pu: openssl: disable SSLv3 by default has caused the Debian Bug report #774299, regarding wheezy-pu: openssl: disable SSLv3 by default to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 774299: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774299 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: wheezy-pu: openssl: disable SSLv3 by default
- From: Kurt Roeckx <kurt@roeckx.be>
- Date: Wed, 31 Dec 2014 13:52:54 +0100
- Message-id: <20141231125253.GA23984@roeckx.be>
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu Hi, I would like to disable SSLv3 by default in wheezy. Attached is a debdiff. Kurtdiff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog --- openssl-1.0.1e/debian/changelog 2014-10-15 19:45:48.000000000 +0200 +++ openssl-1.0.1e/debian/changelog 2014-12-31 13:46:02.000000000 +0100 @@ -1,3 +1,15 @@ +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium + + * Disable SSLv3 by default. It can be enabled again by calling + SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3. + It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the + environment to anything. + This fixes the POODLE issue (CVE-2014-3566). + * Fix CVE-2014-3569. We're not affected by it since we don't build with + the no-ssl3 option (yet). + + -- Kurt Roeckx <kurt@roeckx.be> Wed, 31 Dec 2014 13:45:07 +0100 + openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium * Fixes CVE-2014-3513 diff -Nru openssl-1.0.1e/debian/patches/disable_sslv3.patch openssl-1.0.1e/debian/patches/disable_sslv3.patch --- openssl-1.0.1e/debian/patches/disable_sslv3.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/disable_sslv3.patch 2014-12-31 13:41:07.000000000 +0100 @@ -0,0 +1,14 @@ +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index d09bb7d..bc3cbc7 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2060,6 +2060,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) + */ + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ++ if (getenv("OPENSSL_ALLOW_SSLv3") == NULL) ++ ret->options |= SSL_OP_NO_SSLv3; ++ + return(ret); + err: + SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); diff -Nru openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch --- openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch 2014-12-31 13:44:16.000000000 +0100 @@ -0,0 +1,44 @@ +From 392fa7a952e97d82eac6958c81ed1e256e6b8ca5 Mon Sep 17 00:00:00 2001 +From: Kurt Roeckx <kurt@roeckx.be> +Date: Tue, 21 Oct 2014 20:45:15 +0200 +Subject: [PATCH] Keep old method in case of an unsupported protocol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set +the method to NULL. We didn't used to do that, and it breaks things. This is a +regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old +method since the code is not able to deal with a NULL method at this time. + +CVE-2014-3569, PR#3571 + +Reviewed-by: Emilia Käsper <emilia@openssl.org> +--- + ssl/s23_srvr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c +index 38960ba..858420d 100644 +--- a/ssl/s23_srvr.c ++++ b/ssl/s23_srvr.c +@@ -615,12 +615,14 @@ int ssl23_get_client_hello(SSL *s) + if ((type == 2) || (type == 3)) + { + /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ +- s->method = ssl23_get_server_method(s->version); +- if (s->method == NULL) ++ const SSL_METHOD *new_method; ++ new_method = ssl23_get_server_method(s->version); ++ if (new_method == NULL) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; + } ++ s->method = new_method; + + if (!ssl_init_wbio_buffer(s,1)) goto err; + +-- +2.1.4 + diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series --- openssl-1.0.1e/debian/patches/series 2014-10-15 19:30:33.000000000 +0200 +++ openssl-1.0.1e/debian/patches/series 2014-12-31 13:45:00.000000000 +0100 @@ -72,4 +72,5 @@ Fix-for-SRTP-Memory-Leak.patch Fix-for-session-tickets-memory-leak.patch Fix-no-ssl3-configuration-option.patch - +disable_sslv3.patch +Keep-old-method-in-case-of-an-unsupported-protocol.patch
--- End Message ---
--- Begin Message ---
- To: Kurt Roeckx <kurt@roeckx.be>, 774299-done@bugs.debian.org
- Subject: Re: Bug#774299: wheezy-pu: openssl: disable SSLv3 by default
- From: Julien Cristau <jcristau@debian.org>
- Date: Thu, 5 May 2016 16:43:22 +0200
- Message-id: <20160505144322.GZ2718@betterave.cristau.org>
- In-reply-to: <20150829151959.GK3107@betterave.cristau.org>
- References: <20141231125253.GA23984@roeckx.be> <20150829151959.GK3107@betterave.cristau.org>
On Sat, Aug 29, 2015 at 17:19:59 +0200, Julien Cristau wrote: > On Wed, Dec 31, 2014 at 13:52:54 +0100, Kurt Roeckx wrote: > > > I would like to disable SSLv3 by default in wheezy. Attached is a > > debdiff. > > > > > > Kurt > > > > > diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog > > --- openssl-1.0.1e/debian/changelog 2014-10-15 19:45:48.000000000 +0200 > > +++ openssl-1.0.1e/debian/changelog 2014-12-31 13:46:02.000000000 +0100 > > @@ -1,3 +1,15 @@ > > +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium > > + > > + * Disable SSLv3 by default. It can be enabled again by calling > > + SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3. > > + It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the > > + environment to anything. > > + This fixes the POODLE issue (CVE-2014-3566). > > + * Fix CVE-2014-3569. We're not affected by it since we don't build with > > + the no-ssl3 option (yet). > > + > > + -- Kurt Roeckx <kurt@roeckx.be> Wed, 31 Dec 2014 13:45:07 +0100 > > + > > openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium > > > > * Fixes CVE-2014-3513 > > I'm ok with this in principle; the OPENSSL_ALLOW_SSLv3 environment > variable really ought to be documented though, at least in a > NEWS.Debian for libssl1.0.0. > wheezy is EOL now, so any further updates will go through LTS rather than proposed-updates. Closing. Cheers, JulienAttachment: signature.asc
Description: PGP signature
--- End Message ---