Bug 209116
| Summary: | CVE-2006-3738 OpenSSL issues (CVE-2006-4343, CVE-2006-2940, CVE-2006-2937, CVE-2006-4339) | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | David Eisenstein <deisenst> |
| Component: | openssl | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bob, bugs-redhat, donjr, florin, mattdm, michal, mspevack, pekkas, security-response-team, sheltren |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=important, LEGACY, rh73, rh90, 3, 4, needsbuild | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-12-02 00:17:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 205180, 206940, 207274, 207276, 208744 | ||
| Bug Blocks: | |||
|
Description
David Eisenstein
2006-10-03 12:07:35 UTC
Michal Jaegermann has proposed .src.rpm package for FC4. It may work for FC3 as well. <ftp://ftp.harddata.com/pub/Legacy_srpms/>. There was evidently a bug in one of the patches, but Michal says he has fixed that bug in his openssl-0.9.7f-7.10.3mj.src.rpm, and reported that bug to RHEL developer Tomas Mraz in Bug #207844. See Michal's post at <http://www.redhat.com/archives/fedora-legacy-list/2006-September/msg00036.html> and following messages. Pekka Savola indicates in post <http://www.redhat.com/archives/fedora-legacy-list/2006-September/msg00037.html> that he has created OpenSSL updates for Red Hat 7.3. I plan to submit packages for RHL7.3, RHL9, FC3 and FC4 in the next day or two for peer review (Publish QA) based upon the above good work. Or, if someone gets to them before me, please have at it! Thanks, Guys! (ps: Am going ahead and submitting for RHL7.3 and RHL9 because this bug came out before Legacy's Oct. 1st closure for new bugs to be introduced for those releases. Also-- added cc's for the folks to this bug who were involved in the discussion on the legacy-list. Hope you don't mind!) FYI: The FC5 update for openssl097a-0.9.7a-4.2.2.src.rpm should also just recompile on FC4 as an official update. regards, Florian La Roche Thank you, Florian! There is another issue that this ticket should also fix, CVE-2006-4339: RSA Signature forgery. Info from the related RHSA-2006-0661: "Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. "The Google Security Team discovered that OpenSSL is vulnerable to this attack. This issue affects applications that use OpenSSL to verify X.509 certificates as well as other uses of PKCS #1 v1.5. (CVE-2006-4339)" Also - had a typo on the OpenSSL ASN1 DoS issue. The CVE number is CVE-2006-2937, not CVE-2006-2938 as previous mentioned. Even better, you can just recompiled the openssl097a rpm from the FC-development tree on FC4 as a security update. Also gzip from FC-devel can go in. I've put some updates for FC4 together at http://www.jur-linux.org/rpms/fc-updates/4/ regards, Florian La Roche This is wonderful, Florian! Thank you ever so much! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Okay, have built srpm's and compiled openssl for FC4. The openssl I built is almost entirely based on Michal Jaegermann's 'openssl-0.9.7f-7.10.3mj. src.rpm', with no substantial changes. Thanks Michal! Still need to do openssl097a for FC4. I will take FC5's 'openssl097a-0.9.7a-4.2.2.src.rpm', as Florian suggests, to use for openssl097a for FC4. Here is the FC4 openssl main package for publish (source) QA: SHA1SUM Package ======================================= ============================= http://tinyurl.com/pg9rz/SRPM/ 815f9c69b712a8d1aa231f35706606f1de3015a4__openssl-0.9.7f-7.11.legacy.src.rpm Some binary packages that you can also look at and test. Unless the .src.rpm fails publish QA, they will likely be the packages pushed to updates-testing (signed then by the Fedora Legacy PGP key, not my key). SHA1SUM Package ======================================= ============================= http://tinyurl.com/pg9rz/x86_64/ 00149f5f5bff76a7ecb0df9842218a3312d1322d__openssl-0.9.7f-7.11.legacy.x86_64.rpm 74d3ba73f6f6ec45fff32b3fb4dfa141aab37b65__openssl-devel-0.9.7f-7.11.legacy.x86_64.rpm 8ef360023a52e9b8db41d0c0fd64511404eeba5a__openssl-perl-0.9.7f-7.11.legacy.x86_64.rpm http://tinyurl.com/pg9rz/i386/ 64d64aca3c8d017d0c5d5961a6955132a04ebcfc__openssl-0.9.7f-7.11.legacy.i386.rpm 194d99fd5bbca1367e98d0ae83407f83ad3c6e89__openssl-devel-0.9.7f-7.11.legacy.i386.rpm 637f9297644136866d8fc5ec47f8f892e33efaf0__openssl-perl-0.9.7f-7.11.legacy.i386.rpm Changelog: * Mon Oct 9 2006 David Eisenstein <deisenst> - 0.9.7f.7.11.legacy - - Incorporate Michal Jaegermann's fixes for CVE-2006-4339, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, and CVE-2006-4343 & rebuild. (#209116) * Sat Sep 30 2006 Michal Jaegermann <michal> - 0.9.7f-7.10.3mj - - in openssl-0.9.7a-cve-2006-2940.patch replaced 'goto err;' with 'return(ret);' as we do not want to attempt to free some random junk in case of an early return. * Fri Sep 29 2006 Michal Jaegermann <michal> - 0.9.7f-7.10.2mj - - recompile for FC4 with recent security fixes * Thu Sep 28 2006 Tomas Mraz <tmraz> 0.9.7a-43.14 - - fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276) - - fix CVE-2006-2940 - parasitic public keys DoS (#207274) - - fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940) - - fix CVE-2006-4343 - sslv2 client DoS (#206940) * Tue Sep 5 2006 Michal Jaegermann <michal> - 0.9.7f-7.10.1mj - - recompile for FC4 with CVE-2006-4339 fix * Tue Sep 5 2006 Tomas Mraz <tmraz> 0.9.7a-43.11 - - fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFLFY9xou1V/j9XZwRAqAkAKDdTTphf19J1LO1rW2KMwujI9dAJwCfajgt gPUafwGVPfPoRF29h693b+0= =6sq1 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have created the following SRPMs for openssl: rh7.3: f90ac90a823cc3691eda0a0db053bd806d0af5fe http://lance.maner.org/openssl095a-0.9.5a-24.7.7.legacy.src.rpm b372df265cba12108b9a83fed5cad7c46cb9a22d http://lance.maner.org/openssl096-0.9.6-25.12.legacy.src.rpm a52a6830fc0906ec8b3d894cebdd2819c8fe5117 http://lance.maner.org/openssl-0.9.6b-39.11.legacy.src.rpm rh9: c7060919bb84d8573adafb47d07bd848271b6240 http://lance.maner.org/openssl096-0.9.6-25.13.legacy.src.rpm 8d429b517982e36677cd3b65b68a7d76e28fbeaf http://lance.maner.org/openssl096b-0.9.6b-15.4.legacy.src.rpm b133a985fdceb4ad531afc864eb18d677e0e4550 http://lance.maner.org/openssl-0.9.7a-20.7.legacy.src.rpm fc3: d43e8c2d14eb78a5705dd3f5843c242110c7453b http://lance.maner.org/openssl096b-0.9.6b-21.43.legacy.src.rpm fbf08082a5d80c1138fad543599087ae750a7ede http://lance.maner.org/openssl-0.9.7a-42.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFUTj9pxMPKJzn2lIRAvS2AJ9xwe1GhuvSPbBVCQVl6yU79tLbUQCgpvfT B0Ta1ya888IYbvuPpxZKNtc= =2Vgj -----END PGP SIGNATURE----- Thanks a bunch, Donald! Guess I will build what you have presented here to push to updates-testing. I also have created this SRPM, which should complete what we need for FC-4: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (In reply to comment #4) > Even better, you can just recompiled the openssl097a rpm from the > FC-development tree on FC4 as a security update. > Also gzip from FC-devel can go in. > > I've put some updates for FC4 together at > http://www.jur-linux.org/rpms/fc-updates/4/ > > regards, > > Florian La Roche I looked into the openssl097a from FC-development, and integrated in all of the security patches from it into FC4's openssl097a-0.9.7a-3.1.src.rpm and came up with openssl097a-0.9.7a-3.2.src.rpm. There were a number of changes in the openssl097a from the FC-development tree that, although they might be helpful, I didn't feel safe in incorporating in Legacy's backports for FC4 SRPM for fc4: 03b9d2e560dc2c42047e9de46dfccda5da21c4c5 openssl097a-0.9.7a-3.2.src.rpm available at: http://fedoralegacy.org/contrib/openssl/openssl097a-0.9.7a-3.2.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFVsugxou1V/j9XZwRAkEDAKCd6XwycHiijT0QaVdzdluhdnk84QCePRQm DWDvHMdmv0ggkNoOLOkebTM= =hV6V -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Regarding comment #6, please scratch it. The packages mentioned there seem no longer to be available. Instead, here is the FC4 openssl .src.rpm, signed by my 0x7910794F PGP signature key: 82f0eb87fdbf6d19e53b25ea2d171ad4e52b0a84 openssl-0.9.7f-7.11.legacy.src.rpm http://fedoralegacy.org/contrib/openssl/openssl-0.9.7f-7.11.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFVtZ1xou1V/j9XZwRAjOvAKCXnoVPBtZ2RMkFXRpj6/yNa2N3twCeNwBH ts9XwYWlNPOB9ABs2gXHq/s= =9qa/ -----END PGP SIGNATURE----- What about FC3? (Should I mark this one as FC4 and clone a new bug for FC3?) See comment #7. FC3 SRPMs are in there. Oh, sorry, I'd missed that. I guess this needs to be pushed to updates-testing? I am confused. Jeff Sheltren -- any input? Process Breakdown. Abort. Fedora Legacy is apparently, by consent of those interested in the project, closed until further notice. For discussion about this, see http://www.redhat.com/archives/fedora-legacy-list/2006-November/thread.html#00114 and following... If you feel that this closing of this bug report is in error, please respond with a comment in this Bugzilla report, or on the <fedora-legacy-list> mailing list. Thanks. It *can* be re-opened. |