[Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
Nils Toedtmann
1895294 at bugs.launchpad.net
Wed Sep 16 16:50:47 UTC 2020
Thank you very much for fixing swiftly!
Please forgive me for pointing this out though:
I note that rather than stopping the affected cipher suites from re-
using secrets across connections, you chose to declare the suites as
weak and disabled them altogether.
I appreciate that this is an elegant way to close this vulnerability, in
particular in the absence of an upstream patch.
However, this solution introduces the risk that when trying to establish
a connection with some legacy client or server, they can no longer agree
on a shared cipher, and the TLS handshake fails. That is not in the
spirit of a LTS, which is often elected and used precisely because it
makes it easier to to support legacy products reliably.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1895294
Title:
Fix Raccoon vulnerability (CVE-2020-1968)
Status in openssl package in Ubuntu:
Fix Released
Status in openssl source package in Xenial:
Fix Released
Bug description:
Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been
patched yet against the Raccoon Attack (CVE-2020-1968):
- https://www.openssl.org/news/secadv/20200909.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968
- https://raccoon-attack.com/
Ubuntu's CVE tracker still lists this as NEEDED for Xenial:
- https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1968.html
- https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html
Other supported Ubuntu releases use versions of OpenSSL that are not
affected.
Indeed:
$ apt-cache policy openssl
openssl:
Installed: 1.0.2g-1ubuntu4.16
$ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched"
Not patched
What is the status?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions
More information about the foundations-bugs
mailing list