* Truly scary SSL 3.0 vuln to be revealed soon:
@ 2014-10-15 6:48 Sona Sarmadi
2014-10-15 10:07 ` Burton, Ross
0 siblings, 1 reply; 10+ messages in thread
From: Sona Sarmadi @ 2014-10-15 6:48 UTC (permalink / raw)
To: Mark Hatle, Khem Raj, Saul Wold (sgw@linux.intel.com),
Burton, Ross <ross.burton@intel.com> (ross.burton@intel.com)
Cc: 'yocto@yoctoproject.org',
'openembedded-core@lists.openembedded.org'
Hi guys,
Yesterday The Register published this:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
and today following was published:
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html
The advice is: Disable SSLv3.
I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 so we can start to work with this immediately.
It would be good to sync the work like we did with the "shellshock" at the end :) .
Cheers
Sona
Sona Sarmadi
Security Responsible for Enea Linux
Enea
Jan Stenbecks torg 17,
Box 1033, SE-164 21 Kista, Sweden
Direct: +46 8 5071 4475
Mobile: +46 70 971 4475
sona.sarmadi@enea.com
www.enea.com
This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.
> -----Original Message-----
> From: Sona Sarmadi
> Sent: den 14 oktober 2014 16:39
> To: openembedded-core@lists.openembedded.org
> Cc: yocto@yoctoproject.org
> Subject: FW: [oss-security] Truly scary SSL 3.0 vuln to be revealed soon:
>
> Hi all,
>
> It seems that another vulnerability is coming soon, the advice is disable
> SSLv3.:
> http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_dr
> op_tomorrow/
>
>
> From Hanno Böck [hanno@hboeck.de]:
> ============================================
> Whether it's scary or not I have an advice for you: Disable SSLv3.
>
> It causes a lot of headache already. I once had to debug a rather subtle issue
> in combination with SNI.
> The problem: Browsers downgrade out of protocol to SSLv3 if they can't
> connect via TLS. They do this in order to support broken server
> implementations. However this downgrade can also be triggered by bad or
> slow internet connections - and then you'll loose SNI. So sometimes your
> visitors will get the wrong certificate presented.
> I solved this for my servers by disabling SSLv3. It was a minor problem when I
> did this but it is almost no problem today.
>
> You will lock out IE6 users on Windows XP. However even people who use
> Windows XP+IE and installed their updates have TLS 1.0 support.
> I also encountered a small number of people who had manually disabled TLS
> 1.0 in firefox for unknown reasons. However this was a few years ago.
> Current Firefox versions make it harder to do this. I assume the reason was
> that they thought "v3 sound newer than v1.0".
>
> A number of people already recommend disabling SSLv3, e.g. the Qualys
> configuration guide. Disable it now - no matter if the rumors about a serious
> vuln are true, you'll be safe.
>
> BR - Sona
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-15 6:48 Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi
@ 2014-10-15 10:07 ` Burton, Ross
2014-10-15 14:22 ` Bryan Evenson
2014-10-15 15:31 ` Burton, Ross
0 siblings, 2 replies; 10+ messages in thread
From: Burton, Ross @ 2014-10-15 10:07 UTC (permalink / raw)
To: Sona Sarmadi
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
On 15 October 2014 07:48, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
> The advice is: Disable SSLv3.
>
> I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 so we can start to work with this immediately.
Presumably the list of affected packages is:
- gnutls
- openssl
- nss
Are there more? Will ENEA be able to send patches to these packages?
Ross
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-15 10:07 ` Burton, Ross
@ 2014-10-15 14:22 ` Bryan Evenson
2014-10-15 15:31 ` Burton, Ross
1 sibling, 0 replies; 10+ messages in thread
From: Bryan Evenson @ 2014-10-15 14:22 UTC (permalink / raw)
To: Burton, Ross, Sona Sarmadi
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
Ross,
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf
> Of Burton, Ross
> Sent: Wednesday, October 15, 2014 6:07 AM
> To: Sona Sarmadi
> Cc: yocto@yoctoproject.org; openembedded-
> core@lists.openembedded.org
> Subject: Re: [OE-core] Truly scary SSL 3.0 vuln to be revealed soon:
>
> On 15 October 2014 07:48, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
> > The advice is: Disable SSLv3.
> >
> > I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843 so we
> can start to work with this immediately.
>
> Presumably the list of affected packages is:
> - gnutls
> - openssl
> - nss
>
> Are there more? Will ENEA be able to send patches to these packages?
>
I did a few quick searches of recipe names and descriptions on the meta-openembedded and poky (which includes oe-core) layers for SSL and TLS relation. The searches I used from the poky directory were:
find meta* -name "*ssl*.bb"
find meta* -name "*tls*.bb"
grep -nrE '(ssl|SSL|tls|TLS)' meta* | grep -vE '(DSSSL|dsssl|[Ll]ossless)' | grep '\.bb:'
Then ignoring packages that expressly disable SSL, here's what I found for other packages to evaluate:
python-pyopenssl
socat
curl
libsoup
packagegroup-toolset-native
packagegroup-core-basic
packagegroup-core-lsb
ltp
mailx
libarchive
iputils
msmtp
webkit-gtk
packagegroup-self-hosted
eglibc
glib-networking
x11vnc
bind
telepathy-idle
openssh
valgrind
tcf-agent
python-native
python
rpm
neon
nostromo
cherokee
apache2
ajenti
net-snmp
claws-mail
sylpheed
libimobiledevice
loudmouth
hostap-daemon
gateone
libtorrent
krb5
networkmanager
nodejs4
nodejs
libc-client
python-twisted
python-m2crypto
links
links-x11
openldap
gsoap
mbuffer
cryptsetup
iksemel
strongswan
ca-certificates
libetpan
cyrus-sasl
vsftpd
accel-ppp
openvpn
znc
azy
midori
oscam
tvheadend
Almost all the packages require openssl or gnutls, so patching openssl and gnutls may be sufficient for most of these packages. I'm still working with the dylan branch. If any new packages have been added since then I may have missed them. I'm not sure how dropbear does its encryption, so that may be one to look at also.
Regards,
Bryan Evenson
> Ross
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-15 10:07 ` Burton, Ross
2014-10-15 14:22 ` Bryan Evenson
@ 2014-10-15 15:31 ` Burton, Ross
2014-10-16 11:04 ` Sona Sarmadi
` (2 more replies)
1 sibling, 3 replies; 10+ messages in thread
From: Burton, Ross @ 2014-10-15 15:31 UTC (permalink / raw)
To: Sona Sarmadi
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
On 15 October 2014 11:07, Burton, Ross <ross.burton@intel.com> wrote:
> Presumably the list of affected packages is:
> - gnutls
> - openssl
> - nss
There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
"disabling SSLv3 didn't work"...). I think considering the situation
we'd take the upgrade for dizzy, even though we've frozen. Anyone
volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
the relevant patches to the previous releases? (eg daisy is on
1.0.1g).
Ross
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-15 15:31 ` Burton, Ross
@ 2014-10-16 11:04 ` Sona Sarmadi
2014-10-16 16:09 ` Sona Sarmadi
2014-10-16 16:45 ` Burton, Ross
2 siblings, 0 replies; 10+ messages in thread
From: Sona Sarmadi @ 2014-10-16 11:04 UTC (permalink / raw)
To: Burton, Ross
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
Hi Ross
> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling
> SSLv3 didn't work"...). I think considering the situation we'd take the
> upgrade for dizzy, even though we've frozen. Anyone volunteering to take
> lead of upgrading dizzy to 1.0.1j and backporting the relevant patches to the
> previous releases? (eg daisy is on 1.0.1g).
>
> Ross
Sorry, I missed this, I am preparing patches for daisy. I have sent two patches to OE-core list for daisy and I will sent two more. Does those two patches look ok?
I have built core-image-minimal for qemuarm and booted. I haven't done more tests to verify the fixes. I will search and see if I can find suitable tests so we can run proper tests at the end after applying all patches.
-- Sona
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-15 15:31 ` Burton, Ross
2014-10-16 11:04 ` Sona Sarmadi
@ 2014-10-16 16:09 ` Sona Sarmadi
2014-10-16 16:15 ` Burton, Ross
2014-10-16 16:45 ` Burton, Ross
2 siblings, 1 reply; 10+ messages in thread
From: Sona Sarmadi @ 2014-10-16 16:09 UTC (permalink / raw)
To: Burton, Ross, Catalin Popeanga
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
Ross,
> > Presumably the list of affected packages is:
> > - gnutls
> > - openssl
> > - nss
>
> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including "disabling
> SSLv3 didn't work"...). I think considering the situation we'd take the
> upgrade for dizzy, even though we've frozen. Anyone volunteering to take
> lead of upgrading dizzy to 1.0.1j and backporting the relevant patches to the
> previous releases? (eg daisy is on 1.0.1g).
>
> Ross
Do you know if gnutls implements the SSLv3 protocol? I don't see any new security updates for gnutls (related to the SSLv3 vulnerability) ?
/Sona
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-15 15:31 ` Burton, Ross
2014-10-16 11:04 ` Sona Sarmadi
2014-10-16 16:09 ` Sona Sarmadi
@ 2014-10-16 16:45 ` Burton, Ross
2014-10-16 18:27 ` Otavio Salvador
2 siblings, 1 reply; 10+ messages in thread
From: Burton, Ross @ 2014-10-16 16:45 UTC (permalink / raw)
To: Sona Sarmadi
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
On 15 October 2014 16:31, Burton, Ross <ross.burton@intel.com> wrote:
> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
> "disabling SSLv3 didn't work"...). I think considering the situation
> we'd take the upgrade for dizzy, even though we've frozen. Anyone
> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
> the relevant patches to the previous releases? (eg daisy is on
> 1.0.1g).
For anyone else interested, I've currently got 1.0.1j patches for
dizzy in testing. There's been debate over whether we backport the
fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
growing...
Ross
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-16 16:45 ` Burton, Ross
@ 2014-10-16 18:27 ` Otavio Salvador
2014-10-16 18:38 ` [yocto] " akuster808
0 siblings, 1 reply; 10+ messages in thread
From: Otavio Salvador @ 2014-10-16 18:27 UTC (permalink / raw)
To: Burton, Ross
Cc: openembedded-core@lists.openembedded.org, yocto@yoctoproject.org
On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton@intel.com> wrote:
> On 15 October 2014 16:31, Burton, Ross <ross.burton@intel.com> wrote:
>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>> "disabling SSLv3 didn't work"...). I think considering the situation
>> we'd take the upgrade for dizzy, even though we've frozen. Anyone
>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>> the relevant patches to the previous releases? (eg daisy is on
>> 1.0.1g).
>
> For anyone else interested, I've currently got 1.0.1j patches for
> dizzy in testing. There's been debate over whether we backport the
> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
> growing...
I think the upgrade is the way to go. We are likely to break 1.0.1g
someday during backporting of security fixes.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [yocto] Truly scary SSL 3.0 vuln to be revealed soon:
2014-10-16 18:27 ` Otavio Salvador
@ 2014-10-16 18:38 ` akuster808
0 siblings, 0 replies; 10+ messages in thread
From: akuster808 @ 2014-10-16 18:38 UTC (permalink / raw)
To: Otavio Salvador, Burton, Ross
Cc: yocto@yoctoproject.org, openembedded-core@lists.openembedded.org
On 10/16/2014 11:27 AM, Otavio Salvador wrote:
> On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.burton@intel.com> wrote:
>> On 15 October 2014 16:31, Burton, Ross <ross.burton@intel.com> wrote:
>>> There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
>>> "disabling SSLv3 didn't work"...). I think considering the situation
>>> we'd take the upgrade for dizzy, even though we've frozen. Anyone
>>> volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
>>> the relevant patches to the previous releases? (eg daisy is on
>>> 1.0.1g).
>>
>> For anyone else interested, I've currently got 1.0.1j patches for
>> dizzy in testing. There's been debate over whether we backport the
>> fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
>> growing...
>
> I think the upgrade is the way to go. We are likely to break 1.0.1g
> someday during backporting of security fixes.
>
In this case I would agree. Updating daisy makes sense as we are only
dealing with a minor version update.
- Armin
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-10-16 18:38 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-15 6:48 Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi
2014-10-15 10:07 ` Burton, Ross
2014-10-15 14:22 ` Bryan Evenson
2014-10-15 15:31 ` Burton, Ross
2014-10-16 11:04 ` Sona Sarmadi
2014-10-16 16:09 ` Sona Sarmadi
2014-10-16 16:15 ` Burton, Ross
2014-10-16 16:45 ` Burton, Ross
2014-10-16 18:27 ` Otavio Salvador
2014-10-16 18:38 ` [yocto] " akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox