FS#67858 - [security] [openssl-1.0] CVE-2020-1968
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Wednesday, 09 September 2020, 19:21 GMT
Last edited by Toolybird (Toolybird) - Monday, 20 March 2023, 18:47 GMT
Opened by loqs (loqs) - Wednesday, 09 September 2020, 19:21 GMT
Last edited by Toolybird (Toolybird) - Monday, 20 March 2023, 18:47 GMT
|
Details
Description:
A Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. Additional info: * openssl-1.0 1.0.2.u-1 * https://www.openssl.org/news/secadv/20200909.txt |
This task depends upon
Closed by Toolybird (Toolybird)
Monday, 20 March 2023, 18:47 GMT
Reason for closing: Won't fix
Additional comments about closing: @TrialnError says "In december 2022 the package in question was dropped to AUR"
https://aur.archlinux.org/packages/opens sl-1.0#comment-906951
Monday, 20 March 2023, 18:47 GMT
Reason for closing: Won't fix
Additional comments about closing: @TrialnError says "In december 2022 the package in question was dropped to AUR"
https://aur.archlinux.org/packages/opens sl-1.0#comment-906951
[OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL assigned the issue CVE-2020-1968. OpenSSL does use fresh DH keys per default since version 1.0.2f (which made SSL_OP_SINGLE_DH_USE default as a response to CVE-2016-0701). Therefore, the attack mainly affects OpenSSL 1.0.2 when a DH certificate is in use, which is rare. OpenSSL 1.1.1 never reuses a DH secret and does not implement any "static" DH ciphersuites. To mitigate the attack, the developers moved all remaining DH cipher suites into the "weak-ssl-ciphers" list. In addition, motivated by this research, the developers also activated the fresh generation of EC ephemeral keys in OpenSSL 1.0.2w. Please refer to the OpenSSL Security Advisory.
Although [2] states: Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites.
The patch disables ECDH and DH by marking them as weak. Anonymous DH, DHE and ECDHE and not changed.
[1] https://raccoon-attack.com/
[2] https://www.openssl.org/news/vulnerabilities.html
https://security-tracker.debian.org/tracker/CVE-2020-1968
https://bugzilla.redhat.com/show_bug.cgi?id=1877458
https://bugzilla.opensuse.org/show_bug.cgi?id=1176331
Mark-3DES-and-RC4-ciphers-as-... (8.9 KiB)
[1] http://security.debian.org/debian-security/pool/updates/main/o/openssl1.0/openssl1.0_1.0.2u-1~deb9u4.debian.tar.xz
Additionally, OpenSSL 1.0.2 is affected by the older CVE-2021-23839 as well, the official patch is https://github.com/openssl/openssl/commit/30919ab80a478f2d81f2e9acdcca3fa4740cd547
How is openssl-1.0 1.0.2.u-1 vulnerable to CVE-2021-23839 when it is not built with SSLv2 support?
Attached diff switches to using the github official mirror of openssl to fetch the 1.0.2za signed tag.
Also changes perl to optdepends matching the change in openssl.
nrpe
FS#71307and wvstreamsFS#70648can use openssl (1.1) leaving steam-native-runtime as the only user of openssl-1.0/lib32-openssl-1.0?This should indeed fix all known vulnerabilities to date. Unfortunately the commit for the 1.0.2za release you referred to (e197135eee4164c33146dad7b96f0d71b8844deb) seems to have been deleted from the repository again, at least I wasn't able to find it right now. It might have been published in error, since OpenSSL 1.0.2 releases are usually not publicly available.
> How is openssl-1.0 1.0.2.u-1 vulnerable to CVE-2021-23839 when it is not built with SSLv2 support?
According to the commit message of the patch: "This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted." I'm not sure how applicable that is to our repository packages, but applying the patch probably doesn't hurt either, so if in doubt I'd add it just to be safe.
openssl-1.0.2.-commits-CVEs.txt lists the commits between OpenSSL_1_0_2u and OpenSSL_1_0_2za then maps the commits to CVEs after removing commits for updating NEWS / CHANGES or version.
PKGBUILD.diff applies those commits, commits taken from github to avoid including the cgit version.
As well as the CVEs this also includes two security fixes that did not match CVE criteria, 'Implement blinding for EC scalar multiplication' and 'Ensure SRP BN_mod_exp follows the constant time path'.
Also change perl to makedepends to match openssl package, not added to optdepends as no perl using scripts are installed by openssl-1.0.
PKGBUILD.diff (7.9 KiB)