Please backport OpenSSL SNI signature algorithms fix.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Medium
|
Marc Deslauriers |
Bug Description
If an OpenSSL consumer uses SSL_set_SSL_CTX (very commonly done with SNI), OpenSSL 1.0.1i and earlier lose internal state relating to TLS 1.2 which causes it to forget the peer's digest preferences. The end result is such servers will *only* sign SHA-1 ServerKeyExchanges in TLS 1.2, even if the peer advertises other hashes or even doesn't advertise SHA-1 at all.
See:
https:/
https:/
https:/
http://
Glancing at packages.
The links above should have reproduction steps you can use to confirm the bug and test the fix. (Note that it requires a build of OpenSSL 1.0.2 to confirm the bug. OpenSSL 1.0.1's s_client doesn't print the necessary information.)
Changed in openssl (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in openssl (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in openssl (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in openssl (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in openssl (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in openssl (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in openssl (Ubuntu): | |
status: | New → Fix Released |
This bug was fixed in the package openssl - 1.0.1-4ubuntu5.35
---------------
openssl (1.0.1-4ubuntu5.35) precise-security; urgency=medium
* SECURITY UPDATE: side channel attack on modular exponentiation patches/ CVE-2016- 0702.patch: use constant-time calculations in bn/asm/ x86_64- mont5.pl, crypto/bn/bn_exp.c, perlasm/ x86_64- xlate.pl, crypto/ constant_ time_locl. h. patches/ CVE-2016- 0705.patch: fix double-free in dsa/dsa_ ameth.c. patches/ CVE-2016- 0797.patch: prevent overflow in bn/bn_print. c, crypto/bn/bn.h. patches/ CVE-2016- 0798.patch: disable SRP fake user seed and get1_by_ user function that handled seed srp/srp_ vfy.c, libeay. num, openssl.ld. patches/ CVE-2016- 0799.patch: prevent overflow in bio/b_print. c. patches/ preserve_ digests_ for_sni. patch: preserve negotiated
- debian/
crypto/
crypto/
- CVE-2016-0702
* SECURITY UPDATE: double-free in DSA code
- debian/
crypto/
- CVE-2016-0705
* SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
- debian/
crypto/
- CVE-2016-0797
* SECURITY UPDATE: memory leak in SRP database lookups
- debian/
introduce new SRP_VBASE_
properly in apps/s_server.c, crypto/srp/srp.h, crypto/
util/
- CVE-2016-0798
* SECURITY UPDATE: memory issues in BIO_*printf functions
- debian/
crypto/
- CVE-2016-0799
* debian/
digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
(LP: #1550643)
-- Marc Deslauriers <email address hidden> Mon, 29 Feb 2016 08:01:48 -0500