Bug 1325324

Summary: kdelibs: qt: Support of insecure cipher suites
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: itamar, jgrulich, jreznik, kevin, me, nmavrogi, rdieter, rnovacek, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-30 06:25:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1325325, 1325326, 1325327, 1325328, 1325329    
Bug Blocks: 1325330    

Description Adam Mariš 2016-04-08 12:58:03 UTC 
It was reported that kdelibs and qt libraries support insecure cipher suites.

Suse bug:

https://bugzilla.suse.com/show_bug.cgi?id=865241
Comment 1 Adam Mariš 2016-04-08 12:59:16 UTC 
Created kdelibs tracking bugs for this issue:

Affects: fedora-all [bug 1325325]
Comment 2 Adam Mariš 2016-04-08 12:59:24 UTC 
Created qt3 tracking bugs for this issue:

Affects: fedora-all [bug 1325329]
Comment 3 Adam Mariš 2016-04-08 12:59:30 UTC 
Created qt tracking bugs for this issue:

Affects: fedora-all [bug 1325328]
Comment 4 Adam Mariš 2016-04-08 12:59:38 UTC 
Created kdelibs3 tracking bugs for this issue:

Affects: fedora-all [bug 1325326]
Affects: epel-7 [bug 1325327]
Comment 5 Rex Dieter 2016-04-08 13:52:06 UTC 
Is it possible to take this approach,
https://fedoraproject.org/wiki/Changes/CryptoPolicy

...
In OpenSSL the cipher string "PROFILE=SYSTEM" will be used to specify the system ciphers. Any applications not explicitly specifying ciphers will use the system ciphers.

Per
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

I'd looked before, but didn't see any place where any explicit call to SSL_CTX_set_cipher_list was made, so I naively assumed things were ok by default.

So, maybe consider adding some SSL_CTX_set_cipher_list call (somewhere?) to address this?



(sorry, I'd commented on the qt one specifically before noticing this toplevel tracker)
Comment 9 Nikos Mavrogiannopoulos 2016-04-19 09:00:33 UTC 
To which version of fedora does this bug report apply. SSL 3.0 and RC4 were removed in Fedora 23.

https://fedoraproject.org/wiki/Changes/RemoveSSL3andRc4
Comment 10 Than Ngo 2016-04-19 12:53:04 UTC 
i(In reply to Nikos Mavrogiannopoulos from comment #9)
> To which version of fedora does this bug report apply. SSL 3.0 and RC4 were
> removed in Fedora 23.
> 
> https://fedoraproject.org/wiki/Changes/RemoveSSL3andRc4

it's fedora 22
Comment 11 Nikos Mavrogiannopoulos 2016-04-19 12:55:37 UTC 
Then I do not see any security vulnerability. Please upgrade to Fedora 23.