Debian Bug report logs - #555829
openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl.

Reported by: "Enrique D. Bosch" <presidev@googlemail.com>

Date: Wed, 11 Nov 2009 22:21:02 UTC

Severity: grave

Tags: security

Found in versions 0.9.8g-15+lenny5, openssl/0.9.8g-15

Fixed in version openssl/0.9.8k-6

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#555829; Package openssl. (Wed, 11 Nov 2009 22:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Enrique D. Bosch" <presidev@googlemail.com>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 11 Nov 2009 22:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Enrique D. Bosch" <presidev@googlemail.com>
To: submit@bugs.debian.org
Subject: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Date: Wed, 11 Nov 2009 23:16:19 +0100 (CET)
Subject: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Package: openssl
Version: 0.9.8g-15+lenny5
Severity: grave

*** Please type your report below this line ***

This is a SSL/TLS protocol vulnerability not specific to openssl.

Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and
previous) is subject to a number of serious man-in-the-middle (MITM) attacks
related to renegotiation.  In general, these problems allow an MITM to
inject an arbitrary amount of chosen plaintext into the beginning of the
application protocol stream, leading to a variety of abuse possibilities.

In particular, practical attacks exists against HTTPS and could affect other
protocols that use SSL/TLS.

Openssl by default accepts renegotiations and there is no option to disable 
this. Mainstream openssl 0.9.8l adds this option.

A new RFC draft has been created to address this problem at protocol level so
it's expected further versions of openssl will adopot it.

Possible solutions:
sid: upgrade to openssl 0.9.8l
stable/oldstable: backport a patch from openssl 0.9.8l to stable/oldstable
versions.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable')
Architecture: armel (armv5tejl)

Kernel: Linux 2.6.16.16-arm1
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1) (ignored: LC_ALL set to es_ES)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
hi  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libssl0.9.8            0.9.8g-15+lenny5  SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates               20081127   Common CA certificates

-- no debconf information




Added tag(s) security. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Wed, 11 Nov 2009 23:27:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#555829; Package openssl. (Wed, 11 Nov 2009 23:42:52 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 11 Nov 2009 23:42:52 GMT) Full text and rfc822 format available.

Message #12 received at 555829@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: "Enrique D. Bosch" <presidev@googlemail.com>, 555829@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Date: Thu, 12 Nov 2009 00:32:35 +0100
On Wed, Nov 11, 2009 at 11:16:19PM +0100, Enrique D. Bosch wrote:
> 
> In particular, practical attacks exists against HTTPS and could affect other
> protocols that use SSL/TLS.

It's my understanding that there is a patch for mod_ssl that
should prevent it and which does not require changes to openssl.
But it probably has just the same problems as the 0.9.8l version.

> Openssl by default accepts renegotiations and there is no option to
> disable this. Mainstream openssl 0.9.8l adds this option.

The changes says:
  *) Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
     run-time. This is really not recommended unless you know what
     you're doing.

So this would mean that it will break some setups.

> A new RFC draft has been created to address this problem at protocol level so
> it's expected further versions of openssl will adopot it.
> 
> Possible solutions:
> sid: upgrade to openssl 0.9.8l

I think I will just use the patch against 0.9.8k.  0.9.8l it just
a patched 0.9.8k with some junk added.

> stable/oldstable: backport a patch from openssl 0.9.8l to stable/oldstable
> versions.

I'm not sure uploading that patch to stable/oldstable is a good
idea at the moment, as we have no idea what is going to break.
Atleast when they have a secure way to renegotiate, both sides
can potentionaly be upgraded to a new version.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#555829; Package openssl. (Thu, 12 Nov 2009 09:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Enrique D. Bosch" <presidev@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Thu, 12 Nov 2009 09:42:07 GMT) Full text and rfc822 format available.

Message #17 received at 555829@bugs.debian.org (full text, mbox):

From: "Enrique D. Bosch" <presidev@googlemail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 555829@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Date: Thu, 12 Nov 2009 10:40:22 +0100 (CET)
On Thu, 12 Nov 2009, Kurt Roeckx wrote:

> The changes says:
>  *) Disable renegotiation completely - this fixes a severe security
>     problem (CVE-2009-3555) at the cost of breaking all
>     renegotiation. Renegotiation can be re-enabled by setting
>     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
>     run-time. This is really not recommended unless you know what
>     you're doing.
>
> So this would mean that it will break some setups.

You're right, but the solution could be ask the user, during postinstall 
package configuration, to set SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 
(and set it by default) explaining briefly the vulnerability. This 
wouldn't break anything existing but give the posibility to protect 
against vulnerability.

P.D.: the changelog link of openssl 
(http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_0.9.8g-15+lenny5/changelog) 
is not working at the moment.

Regards
Enrique




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#555829; Package openssl. (Thu, 12 Nov 2009 18:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Thu, 12 Nov 2009 18:03:03 GMT) Full text and rfc822 format available.

Message #22 received at 555829@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: "Enrique D. Bosch" <presidev@googlemail.com>
Cc: 555829@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Date: Thu, 12 Nov 2009 18:55:36 +0100
On Thu, Nov 12, 2009 at 10:40:22AM +0100, Enrique D. Bosch wrote:
> On Thu, 12 Nov 2009, Kurt Roeckx wrote:
> 
> >The changes says:
> > *) Disable renegotiation completely - this fixes a severe security
> >    problem (CVE-2009-3555) at the cost of breaking all
> >    renegotiation. Renegotiation can be re-enabled by setting
> >    SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
> >    run-time. This is really not recommended unless you know what
> >    you're doing.
> >
> >So this would mean that it will break some setups.
> 
> You're right, but the solution could be ask the user, during
> postinstall package configuration, to set
> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION (and set it by default)
> explaining briefly the vulnerability. This wouldn't break anything
> existing but give the posibility to protect against vulnerability.

There is no way to do that with the existing version.  Software
that wants to use that flag need to be modified to use that flag.


Kurt





Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Thu, 12 Nov 2009 18:51:28 GMT) Full text and rfc822 format available.

Notification sent to "Enrique D. Bosch" <presidev@googlemail.com>:
Bug acknowledged by developer. (Thu, 12 Nov 2009 18:51:28 GMT) Full text and rfc822 format available.

Message #27 received at 555829-close@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: 555829-close@bugs.debian.org
Subject: Bug#555829: fixed in openssl 0.9.8k-6
Date: Thu, 12 Nov 2009 18:48:39 +0000
Source: openssl
Source-Version: 0.9.8k-6

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
  to main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
libssl-dev_0.9.8k-6_amd64.deb
  to main/o/openssl/libssl-dev_0.9.8k-6_amd64.deb
libssl0.9.8-dbg_0.9.8k-6_amd64.deb
  to main/o/openssl/libssl0.9.8-dbg_0.9.8k-6_amd64.deb
libssl0.9.8_0.9.8k-6_amd64.deb
  to main/o/openssl/libssl0.9.8_0.9.8k-6_amd64.deb
openssl_0.9.8k-6.diff.gz
  to main/o/openssl/openssl_0.9.8k-6.diff.gz
openssl_0.9.8k-6.dsc
  to main/o/openssl/openssl_0.9.8k-6.dsc
openssl_0.9.8k-6_amd64.deb
  to main/o/openssl/openssl_0.9.8k-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 Nov 2009 18:10:31 +0000
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8k-6
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 555829
Changes: 
 openssl (0.9.8k-6) unstable; urgency=low
 .
   * Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
Checksums-Sha1: 
 12c7549726672005d83f3286f1cea4e910db5477 1948 openssl_0.9.8k-6.dsc
 2d94920f39ea60d6403fae470d3f9c6aa8ec0a9d 61701 openssl_0.9.8k-6.diff.gz
 88c090d8649e90e255de4d84c650d7d51832965a 1049328 openssl_0.9.8k-6_amd64.deb
 b4f25df068eea343b787436da1ece2eeefd9e57c 979034 libssl0.9.8_0.9.8k-6_amd64.deb
 6b4585556fced8ee2d7e99af4a511428c7093d94 635372 libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
 f4fcfc37ca9e45b1be8f92f0901002a5c248f95a 2263180 libssl-dev_0.9.8k-6_amd64.deb
 67fae81f70fd7a872c5e2f25f5ef306f6b828b47 1646782 libssl0.9.8-dbg_0.9.8k-6_amd64.deb
Checksums-Sha256: 
 01695f6983f44c4049d9904f1313701dbf274a1803a4307d6ceb0d123925bad2 1948 openssl_0.9.8k-6.dsc
 fd098ccb6d31ce5edfa3ba1527b3d22faefc825c448da5183f3a5b1102e4c887 61701 openssl_0.9.8k-6.diff.gz
 a55c40b4c5eae921837be80452dd82b854186d0727edb800fb46d55c25682b90 1049328 openssl_0.9.8k-6_amd64.deb
 331af1d3128d7ca1bb85edd8063b2eb6098fb1fbcae71891dc4e9dada557f284 979034 libssl0.9.8_0.9.8k-6_amd64.deb
 60bd35aa3b5ca388e095659c5aa0cac9c0d6bf26dad0c1098f26e83115e99259 635372 libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
 a4673ea3720d419ae0caca28214aa1ece52459ef046d0d169632f0ee92ff50a3 2263180 libssl-dev_0.9.8k-6_amd64.deb
 929708435aaf9dd390778b67b81c2edc672469193bcba873c06efb0cf1d686cf 1646782 libssl0.9.8-dbg_0.9.8k-6_amd64.deb
Files: 
 002d4174f620cbcc11b566d02336456a 1948 utils optional openssl_0.9.8k-6.dsc
 c62120bc3e84f4a7dfd7d6d66dcedd60 61701 utils optional openssl_0.9.8k-6.diff.gz
 fd905c563522ff0b2638686cfefe3e38 1049328 utils optional openssl_0.9.8k-6_amd64.deb
 c6820a643a1f08878b7089bda1aff0c8 979034 libs important libssl0.9.8_0.9.8k-6_amd64.deb
 c393384652a120d757b763aaf8c64730 635372 debian-installer optional libcrypto0.9.8-udeb_0.9.8k-6_amd64.udeb
 2dc4cb253a14763c2ff06b0a9d9af69a 2263180 libdevel optional libssl-dev_0.9.8k-6_amd64.deb
 f713c15f8c321c8dcc130665f96bfd9a 1646782 debug extra libssl0.9.8-dbg_0.9.8k-6_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJK/FWpAAoJEGpMZM6DE7XwcMkP/RIJ6fQOd9+y9q7RV3PX3TuR
76hHyJ+iqZo1deuBy69/tFp60tBbXZ/LSOYTPOsWLnCWsudCTGH3w/NCoa9dHfq5
sG8OhwiyHy8MjQ5nGa9wX9PEKIF7KYz+w3kN06Em6XC+q0C+5PVZDYwEZCtJw8bx
eHobblyz7qVv4vOVVp/r7digvE6NKFGSY73cu4uvEgyCyOdDzXBscjvflJdVRPX/
2Vs2cuekoVe+ef+11ynyGZSdN2hmzlL4U8pYJLyVeLqSJk2bxfEB9v6ToT5Nk3w/
UF0B4KuXHDBvR2K3oSV/t3iICFU7vs8UuPWsHM1mwot0kd2P00zKThHxkNoULaCw
VpBrkp9NjSEbc7ZX8d3p+VWYEV5fRsRpkwZU5y2flqdgW7TGogZIz4xyNDmasVnd
M52FWs8UL1wo2ymmbkxDxlG1sfgzsvQJeZG8g0fdYMPkMmCkurpNG4nZrQB3XQ+c
25h72vW+IPk1l8rv8EtzSo2bpqdJEwe4EkH1nBZpCDTstGcF6taaTAXpGEy5x0k3
8NZn+9OyE2dOzVXlUb46gkdlSTL8UplJzTXe8QDACEu4yDEE1dk2sN0WRanAikNJ
jpdIVXPpHMZnj9xqakBayvr8VjNxhEJI2DLRU3jyU8s247KbsnPqNzFCuqWq61mt
YQ4VX1j6uaqIH4mB9AvH
=3S4V
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#555829; Package openssl. (Fri, 13 Nov 2009 14:42:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 13 Nov 2009 14:42:11 GMT) Full text and rfc822 format available.

Message #32 received at 555829@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 555829@bugs.debian.org
Cc: "Enrique D. Bosch" <presidev@googlemail.com>
Subject: Re: [Pkg-openssl-devel] Bug#555829: Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Date: Fri, 13 Nov 2009 15:38:34 +0100
On Thursday 12 November 2009, Kurt Roeckx wrote:
> On Wed, Nov 11, 2009 at 11:16:19PM +0100, Enrique D. Bosch wrote:
> > In particular, practical attacks exists against HTTPS and could
> > affect other protocols that use SSL/TLS.
> 
> It's my understanding that there is a patch for mod_ssl that
> should prevent it and which does not require changes to openssl.
> But it probably has just the same problems as the 0.9.8l version.

The mod_ssl patch only rejects renegotiations requested by the client. 
This means with the patch, configurations that don't cause apache to 
request a reneg should be safe. 




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 12 Dec 2009 07:28:24 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Fri, 16 Apr 2010 00:57:04 GMT) Full text and rfc822 format available.

Bug Marked as found in versions openssl/0.9.8g-15. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Wed, 08 Sep 2010 21:27:14 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:28:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:36:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.