Re: [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Denys Dmytriyenko <denis@denix.org>
To: akuster <akuster@mvista.com>
Cc: openembedded-devel@lists.openembedded.org,
	openembedded-core@lists.openembedded.org
Subject: Re: [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800
Date: Fri, 04 Mar 2016 11:51:16 -0500	[thread overview]
Message-ID: <20160304165116.GE13743@denix.org> (raw)
In-Reply-To: <56D9BBC9.6010707@mvista.com>

On Fri, Mar 04, 2016 at 08:46:01AM -0800, akuster wrote:
> 
> 
> On 03/04/2016 07:39 AM, Denys Dmytriyenko wrote:
> > On Tue, Mar 01, 2016 at 11:37:21PM -0800, Armin Kuster wrote:
> >> From: Armin Kuster <akuster@mvista.com>
> >>
> >> CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
> >>
> >> https://www.openssl.org/news/secadv/20160301.txt
> >>
> >> Signed-off-by: Armin Kuster <akuster@mvista.com>
> >> ---
> >>  .../openssl/openssl/CVE-2016-0800.patch            | 198 +++++++
> >>  .../openssl/openssl/CVE-2016-0800_2.patch          | 592 +++++++++++++++++++++
> >>  .../openssl/openssl/CVE-2016-0800_3.patch          | 503 +++++++++++++++++
> >>  .../recipes-connectivity/openssl/openssl_1.0.2d.bb |   3 +
> >>  4 files changed, 1296 insertions(+)
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
> >>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
> >>
> >> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >> new file mode 100644
> >> index 0000000..e5635fe
> >> --- /dev/null
> >> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
> >> @@ -0,0 +1,198 @@
> >> +From 9dfd2be8a1761fffd152a92d8f1b356ad667eea7 Mon Sep 17 00:00:00 2001
> >> +From: Viktor Dukhovni <openssl-users@dukhovni.org>
> >> +Date: Wed, 17 Feb 2016 21:07:48 -0500
> >> +Subject: [PATCH] Disable SSLv2 default build, default negotiation and weak
> >> + ciphers.
> >> +MIME-Version: 1.0
> >> +Content-Type: text/plain; charset=UTF-8
> >> +Content-Transfer-Encoding: 8bit
> >> +
> >> +SSLv2 is by default disabled at build-time.  Builds that are not
> >> +configured with "enable-ssl2" will not support SSLv2.  Even if
> >> +"enable-ssl2" is used, users who want to negotiate SSLv2 via the
> >> +version-flexible SSLv23_method() will need to explicitly call either
> >> +of:
> >> +
> >> +    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
> >> +or
> >> +    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
> >> +
> >> +as appropriate.  Even if either of those is used, or the application
> >> +explicitly uses the version-specific SSLv2_method() or its client
> >> +or server variants, SSLv2 ciphers vulnerable to exhaustive search
> >> +key recovery have been removed.  Specifically, the SSLv2 40-bit
> >> +EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
> >> +
> >> +Mitigation for CVE-2016-0800
> > 
> > So, this CVE is all nice and good, but it breaks things and other OE recipes.
> > 
> > For starters, python-m2crypto and crda from meta-openembedded:
> > 
> > ERROR: Failed to import the "M2Crypto" module: .../usr/lib/python2.7/site-packages/M2Crypto/__m2crypto.so: undefined symbol: SSLv2_method
> 
> well we built that internally and it pass because we are using the one
> from meta-virt. its a newer version (0.22.3) than the one in meta-python
> (0.21.1).
> 
> working on the one in meta-python.

Ah, thanks! So, what would be the approach to fix it in meta-python? Would 
version update be allowed for backport to fido/dizzy? It's rather against the 
policy, but in this case it's broken w/o the update...


> > Are there any plans to go and ensure that other recipes using SSLv2 are not 
> > broken now?
> 
> yes, as I find time and not _all_ meta layers.
> 
> thanks for letting me know. it will make this task go by faster.

I'll let you know if anything else is broken :)

-- 
Denys

next prev parent reply	other threads:[~2016-03-04 16:51 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-02  7:37 [jethro][fido][PATCH] openssl: Security fix CVE-2016-0800 Armin Kuster
2016-03-04 15:39 ` Denys Dmytriyenko
     [not found]   ` <56D9BBC9.6010707@mvista.com>
2016-03-04 16:51     ` Denys Dmytriyenko [this message]
2016-03-04 17:02       ` [oe] " Mark Hatle
2016-03-04 18:33         ` Denys Dmytriyenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160304165116.GE13743@denix.org \
    --to=denis@denix.org \
    --cc=akuster@mvista.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox