Bug 1232096 (CVE-2015-3230) - CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side (regression)
Summary: CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3230
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1230996 1232100 1232101 1232896
Blocks: 1232099
TreeView+ depends on / blocked
 
Reported: 2015-06-16 04:56 UTC by Kurt Seifried
Modified: 2021-02-17 05:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-10 08:58:23 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2015-06-16 04:56:18 UTC
It was reported that nsSSL3Ciphers preference is not enforced server side, this
allows for a potential downgrade attack to take place.

Upstream bug report:

https://fedorahosted.org/389/ticket/48194

Comment 2 Huzaifa S. Sidhpurwala 2015-06-16 05:33:39 UTC
This flaw was caused by the following fix applied to 389-ds-base:

https://fedorahosted.org/389/ticket/47838

Comment 3 Kurt Seifried 2015-06-17 18:59:55 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1232896]

Comment 4 Tomas Hoger 2015-08-10 08:55:56 UTC
As noted in comment 2, this flaw was introduced as part of the fixes for issues tracked via upstream bug noted in comment 2, applied upstream via the following commits (plus few related commits updating test suite and correcting mistakes):

https://fedorahosted.org/389/changeset/13c0d2f7b7850676042fe05c917a7d498135324f/
https://fedorahosted.org/389/changeset/5f3c87e1380e56d76d4a4bef3af07633a8589891/
https://fedorahosted.org/389/changeset/c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825/

This issue was corrected via the following commit:

https://fedorahosted.org/389/changeset/53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c/

The regression form upstream ticket 47838 was introduced to Red Hat Enterprise Linux 7 via RHSA-2015:0416, released as part of Red Hat Enterprise Linux 7.1, which updated 389-ds-base packages to upstream version 1.3.3.

Changes that introduced this flaw have not been added to 389-ds-base packages in Red Hat Enterprise Linux 6.

Comment 5 Tomas Hoger 2015-08-10 08:58:23 UTC
In Red Hat Enterprise Linux 7, this issue was already corrected via RHBA-2015:1554:

https://rhn.redhat.com/errata/RHBA-2015-1554.html

Statement:

This issue was correct in Red Hat Enterprise Linux 7 via RHBA-2015:1554.  It did not affect the versions of 389-ds-base as shipped with Red Hat Enterprise Linux 6.


Note You need to log in before you can comment on or make changes to this bug.