Bug 659297 (CVE-2010-4252)
| Summary: | CVE-2010-4252 openssl: session key retrieval flaw in J-PAKE implementation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | mehmetgelisin, rcvalle, tmraz, wnefal+redhatbugzilla | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-12-02 13:06:18 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2010-12-02 13:01:16 UTC
Created attachment 464242 [details] Reproducer Sébastien Martini reproducer. Source: https://github.com/seb-m/jpake/tree/master/openssl-jpake/ Git repository provides couple of files that should replace original files in openssl 1.0.0a that are needed to build modified client exploiting this flaw. This attachment contains a diff between vanilla 1.0.0a and 1.0.0a with Sébastien's modifications applied. (In reply to comment #0) > Note: J-PAKE implementation is considered experimental upstream and is not > enabled by default. J-PAKE is not enabled in Red Hat Enterprise Linux and Fedora OpenSSL packages either. Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 4, 5, or 6. Same flaws was reported for OpenSSH J-PAKE implementation too and fixed in: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5 As with OpenSSL, OpenSSH code is experimental and not enabled by default or in RHEL / Fedora builds. (In reply to comment #0) > OpenSSL upstream fix for the issue, which should be included in version 0.9.8q > and 1.0.0c: > http://cvs.openssl.org/chngview?cn=20098 Upstream security advisory: http://openssl.org/news/secadv_20101202.txt |