Bug 1594986 - Insecure GNUTLS settings
Summary: Insecure GNUTLS settings
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: iksemel
Version: epel7
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jeffrey C. Ollie
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/meduketto/iksemel/...
Whiteboard:
: 1600897 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-25 23:11 UTC by Gary T. Giesen
Modified: 2018-07-13 18:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-09 14:51:04 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 803204 None None None 2018-06-25 23:11:07 UTC

Description Gary T. Giesen 2018-06-25 23:11:08 UTC
Description of problem:
    
Hardcoded and very low grade ciphers enabled in libiksemel:

       const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
       const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
       const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, 
GNUTLS_CIPHER_ARCFOUR, 0};
       const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 
0 };
       const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };

    SSL3, 3DES, RC4, SSL compression… With this setting not only low grade
    ciphers are available, but higher grades are disabled. So this is a
    major security issue, also affecting stable.

Version-Release number of selected component (if applicable):
1.4-6

How reproducible:
Always

Additional info:

See issue in upstream github: https://github.com/meduketto/iksemel/issues/48

Comment 1 Gary T. Giesen 2018-06-25 23:29:15 UTC
Perhaps consider pulling from https://github.com/timothytylee/iksemel-1.4 , upstream seems to be unmaintained.

Comment 2 Jeffrey C. Ollie 2018-07-09 14:51:04 UTC
The github branch you link to isn't any better, iksemel is effectively abandoned. I do not have the time/desire to take on maintenance and as far as I can see no one else does either.

Comment 3 Jason Tibbitts 2018-07-09 14:59:24 UTC
In case it's not obvious, iksemel has been retired on both the rawhide and epel7 branches and should disappear from EPEL7 soon.  This will leave zabbix{20,22}-server-{mysql,pgsql} with broken dependencies.

It's still available in EPEL6, though; perhaps it should be retired there as well.  This will of course leave more broken dependencies in the various zabbix releases.

Comment 4 Jeffrey C. Ollie 2018-07-09 15:12:06 UTC
Yes, I was the one that just retired those branches. I just did EL6 as well.  I emailed the zabbix and asterisk owners as well as the development list and no one seemed to care. From what I know of the Zabbix and Asterisk packaging it should be fairly easy to rebuild both packages without iksemel.

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/I5442Q55W7YE6ZFFDBZIUBE7KM2ZNTM3/

Comment 5 Kevin Fenzi 2018-07-13 18:16:55 UTC
*** Bug 1600897 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.