Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1232096 - (CVE-2015-3230) CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side (regression)
CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150609,repor...
: Security
Depends On: 1230996 1232100 1232101 1232896
Blocks: 1232099
  Show dependency treegraph
 
Reported: 2015-06-16 00:56 EDT by Kurt Seifried
Modified: 2015-08-10 04:58 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-10 04:58:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2015-06-16 00:56:18 EDT 
It was reported that nsSSL3Ciphers preference is not enforced server side, this
allows for a potential downgrade attack to take place.

Upstream bug report:

https://fedorahosted.org/389/ticket/48194
Comment 2 Huzaifa S. Sidhpurwala 2015-06-16 01:33:39 EDT 
This flaw was caused by the following fix applied to 389-ds-base:

https://fedorahosted.org/389/ticket/47838
Comment 3 Kurt Seifried 2015-06-17 14:59:55 EDT 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1232896]
Comment 4 Tomas Hoger 2015-08-10 04:55:56 EDT 
As noted in comment 2, this flaw was introduced as part of the fixes for issues tracked via upstream bug noted in comment 2, applied upstream via the following commits (plus few related commits updating test suite and correcting mistakes):

https://fedorahosted.org/389/changeset/13c0d2f7b7850676042fe05c917a7d498135324f/
https://fedorahosted.org/389/changeset/5f3c87e1380e56d76d4a4bef3af07633a8589891/
https://fedorahosted.org/389/changeset/c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825/

This issue was corrected via the following commit:

https://fedorahosted.org/389/changeset/53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c/

The regression form upstream ticket 47838 was introduced to Red Hat Enterprise Linux 7 via RHSA-2015:0416, released as part of Red Hat Enterprise Linux 7.1, which updated 389-ds-base packages to upstream version 1.3.3.

Changes that introduced this flaw have not been added to 389-ds-base packages in Red Hat Enterprise Linux 6.
Comment 5 Tomas Hoger 2015-08-10 04:58:23 EDT 
In Red Hat Enterprise Linux 7, this issue was already corrected via RHBA-2015:1554:

https://rhn.redhat.com/errata/RHBA-2015-1554.html

Statement:

This issue was correct in Red Hat Enterprise Linux 7 via RHBA-2015:1554.  It did not affect the versions of 389-ds-base as shipped with Red Hat Enterprise Linux 6.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.