Bug 1047840 - (CVE-2013-6450) CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20131219,repo...
: Security
Depends On: 1047843 1047844 1047845 1047846 1047847 1048277 1048278
Blocks: 1045440
  Show dependency treegraph
 
Reported: 2014-01-02 06:10 EST by Ratul Gupta
Modified: 2015-10-15 14:09 EDT (History)
18 users (show)

See Also:
Fixed In Version: openssl 1.0.1f, openssl 1.0.0l
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-31 10:06:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2014-01-02 06:10:32 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6450 to the following vulnerability:

The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

Upstream commit:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3462896
Comment 3 Ratul Gupta 2014-01-02 06:15:41 EST
Created mingw32-openssl tracking bugs for this issue:

Affects: epel-5 [bug 1047845]
Comment 4 Ratul Gupta 2014-01-02 06:15:45 EST
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1047843]
Comment 5 Ratul Gupta 2014-01-02 06:15:49 EST
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1047844]
Comment 6 Ratul Gupta 2014-01-02 06:39:03 EST
Upstream bug link:
http://rt.openssl.org/Ticket/Display.html?id=3199&user=guest&pass=guest
Comment 7 Mark J. Cox (Product Security) 2014-01-03 08:38:51 EST
OpenSSL 0.9.8 is not affected.
Comment 13 Tomas Hoger 2014-01-08 09:03:13 EST
DTLS protocol support is not available in openssl packages in Red Hat Enterprise Linux 4 and earlier.  Red Hat Enterprise Linux 5 uses openssl 0.9.8, which is not affected (see comment 7).

Statement:

This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and earlier.
Comment 14 errata-xmlrpc 2014-01-08 13:19:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0015 https://rhn.redhat.com/errata/RHSA-2014-0015.html
Comment 15 Tomas Hoger 2014-01-08 15:51:31 EST
(In reply to Mark J. Cox (Security Engineering) from comment #7)
> OpenSSL 0.9.8 is not affected.

More details in post from upstream developer:

http://www.mail-archive.com/openssl-dev@openssl.org/msg33547.html
Comment 17 Fedora Update System 2014-01-10 02:45:27 EST
openssl-1.0.1e-37.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2014-01-10 02:58:36 EST
openssl-1.0.1e-37.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2014-01-12 00:06:30 EST
openssl-1.0.1e-37.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Vincent Danen 2014-01-31 10:06:20 EST
SUSE was reporting [1] some crashes with a patched openssl, so I wanted to clarify here that they were missing part of the required fix.

In addition to the upstream commit noted in comment #0:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3462896

Upstream also indicated [2] that this patch was required:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a6c62f0

We have this patch in our openssl-1.0.1e-cve-2013-6450.patch which was applied to Red Hat Enterprise Linux 6's fix, as noted above.

So the problems that SUSE was describing would not affect Red Hat Enterprise Linux 6.

[1] https://bugzilla.novell.com/show_bug.cgi?id=861384
[2] http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3214#txn-38658

Note You need to log in before you can comment on or make changes to this bug.