Bug 659297 (CVE-2010-4252)
Summary: | CVE-2010-4252 openssl: session key retrieval flaw in J-PAKE implementation | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | mehmetgelisin, rcvalle, tmraz, wnefal+redhatbugzilla | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-12-02 13:06:18 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tomas Hoger
2010-12-02 13:01:16 UTC
Created attachment 464242 [details] Reproducer Sébastien Martini reproducer. Source: https://github.com/seb-m/jpake/tree/master/openssl-jpake/ Git repository provides couple of files that should replace original files in openssl 1.0.0a that are needed to build modified client exploiting this flaw. This attachment contains a diff between vanilla 1.0.0a and 1.0.0a with Sébastien's modifications applied. (In reply to comment #0) > Note: J-PAKE implementation is considered experimental upstream and is not > enabled by default. J-PAKE is not enabled in Red Hat Enterprise Linux and Fedora OpenSSL packages either. Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 4, 5, or 6. Same flaws was reported for OpenSSH J-PAKE implementation too and fixed in: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5 As with OpenSSL, OpenSSH code is experimental and not enabled by default or in RHEL / Fedora builds. (In reply to comment #0) > OpenSSL upstream fix for the issue, which should be included in version 0.9.8q > and 1.0.0c: > http://cvs.openssl.org/chngview?cn=20098 Upstream security advisory: http://openssl.org/news/secadv_20101202.txt |