Openssl vs ssl3 attack
Gene Heskett
gheskett at wdtv.com
Thu Oct 16 21:58:25 UTC 2014
On Thursday 16 October 2014 17:12:35 C de-Avillez did opine
And Gene did reply:
> On 16/10/14 16:02, Gene Heskett wrote:
> > Greetings;
> >
> > I just ran my daily session of update-manager and updated the openssl
> > and its libraries.
> >
> > No mention of the attack fix in the ChangeLog that I saw. So is this
> > intended to plug that attack?
> >
> > Enquiring(sp?) minds want to know.
> >
> > Cheers, Gene Heskett
>
> Since you did not state what version of Ubuntu and openssl, all I can
> say is: if the updated openssl package you installed today has a
> changelog similar to the one below, then yes, it does plug the attack.
>
> ..C..
My bad, all 3 of these installs are Ubuntu-10.04.4 LTS
Version of openssl is 0.9.8k-7ubuntu8.22 now IIRC.
Question? Where the heck are the ChangeLogs stored? Got it, called up
synaptic & checked installed files in properties.
Its in /usr/share/doc/openssl, as ChangeLog.gz but now I am considerably
puzzled, ALL of that Documentation is a minimum of at least 6 months old,
and some it is 5+ years old.
In synaptic, under properties, I can see a ChangeLog, so WTF is it so
damned old?
Looking at the archive .deb itself, the ChangeLog.gz is a local link back
to a generic file. And that file, actually in the libssl archive giving
me 0.9.8k version, HAS NOT BEEN UPDATED SINCE MARCH, 2009!
Good grief, ya buy em books and send em to school...
Ok, it seems we must look at the "changelog.debian.gz", which does appear
to be uptodate, listing the ssl3 fixes:
* SECURITY UPDATE: denial of service via session ticket integrity check
memory leak
- debian/patches/CVE-2014-3567.patch: perform cleanup in ssl/t1_lib.c.
- CVE-2014-3567
* SECURITY UPDATE: fix the no-ssl3 build option
- debian/patches/CVE-2014-3568.patch: fix conditional code in
ssl/s23_clnt.c, ssl/s23_srvr.c.
- CVE-2014-3568
* SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
protocol downgrade attack to SSLv3 that exposes the POODLE attack.
So I learned something, which is that when dealing with debian, changelogs
don't mean squat, use the changelog.debian.gz instead.
> openssl (1.0.1f-1ubuntu2.7) trusty-security; urgency=medium
>
> * SECURITY UPDATE: denial of service via DTLS SRTP memory leak
> - debian/patches/CVE-2014-3513.patch: fix logic in ssl/d1_srtp.c,
> ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl,
> util/ssleay.num.
> - CVE-2014-3513
> * SECURITY UPDATE: denial of service via session ticket integrity
> check memory leak
> - debian/patches/CVE-2014-3567.patch: perform cleanup in
> ssl/t1_lib.c. - CVE-2014-3567
> * SECURITY UPDATE: fix the no-ssl3 build option
> - debian/patches/CVE-2014-3568.patch: fix conditional code in
> ssl/s23_clnt.c, ssl/s23_srvr.c.
> - CVE-2014-3568
> * SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
> protocol downgrade attack to SSLv3 that exposes the POODLE attack.
> - debian/patches/tls_fallback_scsv_support.patch: added support for
> TLS_FALLBACK_SCSV in apps/s_client.c, crypto/err/openssl.ec,
> ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c,
> ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h,
> ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h,
> doc/apps/s_client.pod, doc/ssl/SSL_CTX_set_mode.pod.
>
> Date: 2014-10-15 17:38:14.520146+00:00
> Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
More information about the ubuntu-users
mailing list