Thanks Joseph. 2020-05-08 chunhui.jia 发件人:Joseph Reynolds 发送时间:2020-05-08 00:54 主题:Re: openssl upgrade CVE-2020-1967 收件人:"chunhui.jia","Brad Bishop" 抄送:"Bills, Jason M","Vernon Mauery","openbmc@lists.ozlabs.org","James Feist" On 5/7/20 2:43 AM, chunhui.jia wrote: > Brad, > There is a CVE reported in openSSL 1.1.1d (used by current openbmc). > Severity is high. > > CVE-2020-1967 > https://nvd.nist.gov/vuln/detail/CVE-2020-1967 > Server or client applications that call the SSL_check_chain() function > during or after a TLS 1.3 handshake may crash due to a NULL pointer > dereference as a result of incorrect handling of the > "signature_algorithms_cert" TLS extension. The crash occurs if an > invalid or unrecognised signature algorithm is received from the peer. > This could be exploited by a malicious peer in a Denial of Service > attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by > this issue. This issue did not affect OpenSSL versions prior to > 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). > Thanks for reporting this. According to OpenBMC network security considerations [1], SSL (and specifically OpenSSL) is used in two places: the dropbear SSH server [2] and the BMCWeb HTTPS server [3]. I don't see any references to the defective function (SSL_check_chain) in those code bases or in any other OpenBMC code. I've CC'd the BMCWeb maintainers to help check this. If that is all true, the OpenBMC is not affected. I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release [4] which does use OpenSSL 1.1.1g [5]. - Joseph [1]: https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md [2]: https://github.com/mkj/dropbear [3]: https://github.com/openbmc/bmcweb [4]: https://wiki.yoctoproject.org/wiki/Releases [5]: https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl?h=dunfell > It is fixed in 1.1.1g. Upstream recipe already point openssl to > latest version (1.1.1g). > https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb > Will you update poky subtree to latest?