Re: [OE-core] [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Denys Dmytriyenko <denis@denix.org>
To: akuster <akuster@mvista.com>
Cc: openembedded-devel@lists.openembedded.org,
	openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800
Date: Fri, 04 Mar 2016 11:51:16 -0500	[thread overview]
Message-ID: <20160304165116.GE13743@denix.org> (raw)
In-Reply-To: <56D9BBC9.6010707@mvista.com>

On Fri, Mar 04, 2016 at 08:46:01AM -0800, akuster wrote:
> 
> 
> On 03/04/2016 07:39 AM, Denys Dmytriyenko wrote:
> > On Tue, Mar 01, 2016 at 11:37:21PM -0800, Armin Kuster wrote:
> >> From: Armin Kuster <akuster@mvista.com>
> >>
> >> CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
> >>
> >> https://www.openssl.org/news/secadv/20160301.txt
> >>
> >> Signed-off-by: Armin Kuster <akuster@mvista.com>
> >> ---
> >>  .../openssl/openssl/CVE-2016-0800.patch            | 198 +++++++
> >>  .../openssl/openssl/CVE-2016-0800_2.patch          | 592 +++++++++++++++++++++
> >>  .../openssl/openssl/CVE-2016-0800_3.patch          | 503 +++++++++++++++++
> >>  .../recipes-connectivity/openssl/openssl_1.0.2d.bb |   3 +
> >>  4 files changed, 1296 insertions(+)
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
> >>
> >> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >> new file mode 100644
> >> index 0000000..e5635fe
> >> --- /dev/null
> >> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >> @@ -0,0 +1,198 @@
> >> +From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001
> >> +From: Viktor Dukhovni <openssl-users@dukhovni.org>
> >> +Date: Wed, 17 Feb 2016 21:07:48 -0500
> >> +Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak
> >> + ciphers.
> >> +MIME-Version: 1.0
> >> +Content-Type: text/plain; charset=UTF-8
> >> +Content-Transfer-Encoding: 8bit
> >> +
> >> +SSLv2 is by default disabled at build-time.  Builds that are not
> >> +configured with "enable-ssl2" will not support SSLv2.  Even if
> >> +"enable-ssl2" is used, users who want to negotiate SSLv2 via the
> >> +version-flexible SSLv23_method() will need to explicitly call either
> >> +of:
> >> +
> >> +    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
> >> +or
> >> +    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
> >> +
> >> +as appropriate.  Even if either of those is used, or the application
> >> +explicitly uses the version-specific SSLv2_method() or its client
> >> +or server variants, SSLv2 ciphers vulnerable to exhaustive search
> >> +key recovery have been removed.  Specifically, the SSLv2 40-bit
> >> +EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
> >> +
> >> +Mitigation for CVE-2016-0800
> > 
> > So, this CVE is all nice and good, but it breaks things and other OE recipes.
> > 
> > For starters, python-m2crypto and crda from meta-openembedded:
> > 
> > ERROR: Failed to import the "M2Crypto" module: .../usr/lib/python2.7/site-packages/M2Crypto/__m2crypto.so: undefined symbol: SSLv2_method
> 
> well we built that internally and it pass because we are using the one
> from meta-virt. its a newer version (0.22.3) than the one in meta-python
> (0.21.1).
> 
> working on the one in meta-python.

Ah, thanks! So, what would be the approach to fix it in meta-python? Would 
version update be allowed for backport to fido/dizzy? It's rather against the 
policy, but in this case it's broken w/o the update...


> > Are there any plans to go and ensure that other recipes using SSLv2 are not 
> > broken now?
> 
> yes, as I find time and not _all_ meta layers.
> 
> thanks for letting me know. it will make this task go by faster.

I'll let you know if anything else is broken :)

-- 
Denys

WARNING: multiple messages have this Message-ID (diff)

From: Denys Dmytriyenko <denis@denix.org>
To: akuster <akuster@mvista.com>
Cc: openembedded-devel@lists.openembedded.org,
	openembedded-core@lists.openembedded.org
Subject: Re: [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800
Date: Fri, 04 Mar 2016 11:51:16 -0500	[thread overview]
Message-ID: <20160304165116.GE13743@denix.org> (raw)
In-Reply-To: <56D9BBC9.6010707@mvista.com>

On Fri, Mar 04, 2016 at 08:46:01AM -0800, akuster wrote:
> 
> 
> On 03/04/2016 07:39 AM, Denys Dmytriyenko wrote:
> > On Tue, Mar 01, 2016 at 11:37:21PM -0800, Armin Kuster wrote:
> >> From: Armin Kuster <akuster@mvista.com>
> >>
> >> CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
> >>
> >> https://www.openssl.org/news/secadv/20160301.txt
> >>
> >> Signed-off-by: Armin Kuster <akuster@mvista.com>
> >> ---
> >>  .../openssl/openssl/CVE-2016-0800.patch            | 198 +++++++
> >>  .../openssl/openssl/CVE-2016-0800_2.patch          | 592 +++++++++++++++++++++
> >>  .../openssl/openssl/CVE-2016-0800_3.patch          | 503 +++++++++++++++++
> >>  .../recipes-connectivity/openssl/openssl_1.0.2d.bb |   3 +
> >>  4 files changed, 1296 insertions(+)
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
> >>
> >> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >> new file mode 100644
> >> index 0000000..e5635fe
> >> --- /dev/null
> >> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >> @@ -0,0 +1,198 @@
> >> +From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001
> >> +From: Viktor Dukhovni <openssl-users@dukhovni.org>
> >> +Date: Wed, 17 Feb 2016 21:07:48 -0500
> >> +Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak
> >> + ciphers.
> >> +MIME-Version: 1.0
> >> +Content-Type: text/plain; charset=UTF-8
> >> +Content-Transfer-Encoding: 8bit
> >> +
> >> +SSLv2 is by default disabled at build-time.  Builds that are not
> >> +configured with "enable-ssl2" will not support SSLv2.  Even if
> >> +"enable-ssl2" is used, users who want to negotiate SSLv2 via the
> >> +version-flexible SSLv23_method() will need to explicitly call either
> >> +of:
> >> +
> >> +    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
> >> +or
> >> +    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
> >> +
> >> +as appropriate.  Even if either of those is used, or the application
> >> +explicitly uses the version-specific SSLv2_method() or its client
> >> +or server variants, SSLv2 ciphers vulnerable to exhaustive search
> >> +key recovery have been removed.  Specifically, the SSLv2 40-bit
> >> +EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
> >> +
> >> +Mitigation for CVE-2016-0800
> > 
> > So, this CVE is all nice and good, but it breaks things and other OE recipes.
> > 
> > For starters, python-m2crypto and crda from meta-openembedded:
> > 
> > ERROR: Failed to import the "M2Crypto" module: .../usr/lib/python2.7/site-packages/M2Crypto/__m2crypto.so: undefined symbol: SSLv2_method
> 
> well we built that internally and it pass because we are using the one
> from meta-virt. its a newer version (0.22.3) than the one in meta-python
> (0.21.1).
> 
> working on the one in meta-python.

Ah, thanks! So, what would be the approach to fix it in meta-python? Would 
version update be allowed for backport to fido/dizzy? It's rather against the 
policy, but in this case it's broken w/o the update...


> > Are there any plans to go and ensure that other recipes using SSLv2 are not 
> > broken now?
> 
> yes, as I find time and not _all_ meta layers.
> 
> thanks for letting me know. it will make this task go by faster.

I'll let you know if anything else is broken :)

-- 
Denys

next prev parent reply	other threads:[~2016-03-04 16:51 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-02  7:37 [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800 Armin Kuster
2016-03-04 15:39 ` [OE-core] " Denys Dmytriyenko
2016-03-04 15:39   ` Denys Dmytriyenko
     [not found]   ` <56D9BBC9.6010707@mvista.com>
2016-03-04 16:51     ` Denys Dmytriyenko [this message]
2016-03-04 16:51       ` Denys Dmytriyenko
2016-03-04 17:02       ` [OE-core] " Mark Hatle
2016-03-04 17:02         ` [oe] " Mark Hatle
2016-03-04 18:33         ` [OE-core] " Denys Dmytriyenko
2016-03-04 18:33           ` [oe] " Denys Dmytriyenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160304165116.GE13743@denix.org \
    --to=denis@denix.org \
    --cc=akuster@mvista.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.