Bug 1232096 (CVE-2015-3230)

Summary: CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side (regression)
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: edewata, jgalipea, mreynolds, nhosoi, nkinder, rmeggins
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-10 08:58:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230996, 1232100, 1232101, 1232896    
Bug Blocks: 1232099    

Description Kurt Seifried 2015-06-16 04:56:18 UTC
It was reported that nsSSL3Ciphers preference is not enforced server side, this
allows for a potential downgrade attack to take place.

Upstream bug report:

https://fedorahosted.org/389/ticket/48194

Comment 2 Huzaifa S. Sidhpurwala 2015-06-16 05:33:39 UTC
This flaw was caused by the following fix applied to 389-ds-base:

https://fedorahosted.org/389/ticket/47838

Comment 3 Kurt Seifried 2015-06-17 18:59:55 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1232896]

Comment 4 Tomas Hoger 2015-08-10 08:55:56 UTC
As noted in comment 2, this flaw was introduced as part of the fixes for issues tracked via upstream bug noted in comment 2, applied upstream via the following commits (plus few related commits updating test suite and correcting mistakes):

https://fedorahosted.org/389/changeset/13c0d2f7b7850676042fe05c917a7d498135324f/
https://fedorahosted.org/389/changeset/5f3c87e1380e56d76d4a4bef3af07633a8589891/
https://fedorahosted.org/389/changeset/c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825/

This issue was corrected via the following commit:

https://fedorahosted.org/389/changeset/53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c/

The regression form upstream ticket 47838 was introduced to Red Hat Enterprise Linux 7 via RHSA-2015:0416, released as part of Red Hat Enterprise Linux 7.1, which updated 389-ds-base packages to upstream version 1.3.3.

Changes that introduced this flaw have not been added to 389-ds-base packages in Red Hat Enterprise Linux 6.

Comment 5 Tomas Hoger 2015-08-10 08:58:23 UTC
In Red Hat Enterprise Linux 7, this issue was already corrected via RHBA-2015:1554:

https://rhn.redhat.com/errata/RHBA-2015-1554.html

Statement:

This issue was correct in Red Hat Enterprise Linux 7 via RHBA-2015:1554.  It did not affect the versions of 389-ds-base as shipped with Red Hat Enterprise Linux 6.