Bug 1378127 – CVE-2016-6305 openssl: SSL_peek() hang on empty record

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1378127 - (CVE-2016-6305) CVE-2016-6305 openssl: SSL_peek() hang on empty record

Summary:	CVE-2016-6305 openssl: SSL_peek() hang on empty record

Status:	CLOSED NOTABUG

Aliases:	CVE-2016-6305

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160922,repor...
Keywords:	Security

Depends On:
Blocks:	1367347
	Show dependency tree / graph

Reported:	2016-09-21 10:26 EDT by Tomas Hoger
Modified:	2016-11-08 11:05 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	openssl 1.1.0a
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-21 10:29:25 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
OpenSSL upstream fix (1.21 KB, patch) 2016-09-21 10:28 EDT, Tomas Hoger	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2662211	None	None	None	2016-09-27 20:43 EDT

Groups: None (edit)

Description Tomas Hoger 2016-09-21 10:26:36 EDT

Quoting form the draft of the OpenSSL upstream advisory:

SSL_peek() hang on empty record (CVE-2016-6305)
===============================================

Severity: Moderate

OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
attack.

OpenSSL 1.1.0 users should upgrade to 1.1.0a

This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.

Comment 1 Tomas Hoger 2016-09-21 10:26:44 EDT

Acknowledgments:

Name: the OpenSSL project
Upstream: Alex Gaynor

Comment 2 Tomas Hoger 2016-09-21 10:28 EDT

Created attachment 1203332 [details]
OpenSSL upstream fix

Comment 3 Tomas Hoger 2016-09-21 10:28:48 EDT

Upstream bug with reproducer:

https://github.com/openssl/openssl/issues/1563

Comment 4 Tomas Hoger 2016-09-21 10:29:25 EDT

This issue only affected OpenSSL 1.1.0, which is not yet part of any Red Hat product.

Comment 5 Adam Mariš 2016-09-22 11:12:29 EDT

External References:

https://www.openssl.org/news/secadv/20160922.txt

Comment 6 Tomas Hoger 2016-09-26 06:33:39 EDT

Upstream commit:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=63658103d4441924f8dbfc517b99bb54758a98b9

Note You need to log in before you can comment on or make changes to this bug.