Debian Bug report logs - #589706
SSLv2 should be disabled

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl (PTS, buildd, popcon).

Reported by: Kees Cook <kees@debian.org>

Date: Tue, 20 Jul 2010 07:27:41 UTC

Severity: normal

Tags: patch, security

Found in version openssl/0.9.8o-1

Fixed in version openssl/1.0.0c-2

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Tue, 20 Jul 2010 07:27:44 GMT) (full text, mbox, link).

Acknowledgement sent to Kees Cook <kees@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 20 Jul 2010 07:27:44 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@debian.org>
To: Debian Bugs <submit@bugs.debian.org>
Subject: SSLv2 should be disabled
Date: Tue, 20 Jul 2010 00:19:31 -0700
[Message part 1 (text/plain, inline)]
Package: openssl
Version: 0.9.8o-1
Severity: normal
Tags: patch, security
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch

Since SSLv2 is considered dangerous, it should be removed from OpenSSL. It
hasn't be available in NSS or GnuTLS for a very long time.

This patch implements a form for disabling SSLv2 -- all contexts have
NO_SSL2 set, and the ssl2 method is rejected in SSL_CTX_new (similar to how
FIPS mode works).

Thanks,

-Kees

-- 
Kees Cook                                            @debian.org

[no-sslv2.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Mon, 15 Nov 2010 11:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to dave b <db.pub.mail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 15 Nov 2010 11:39:05 GMT) (full text, mbox, link).

Message #10 received at 589706@bugs.debian.org (full text, mbox, reply):

From: dave b <db.pub.mail@gmail.com>
To: 589706@bugs.debian.org
Subject: just out of interest why hasn't the patch posted to disable SSLv2 been applied?
Date: Mon, 15 Nov 2010 22:37:07 +1100
Just out of interest, why hasn't the patch posted to disable SSLv2
been applied?...

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Mon, 15 Nov 2010 17:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 15 Nov 2010 17:03:03 GMT) (full text, mbox, link).

Message #15 received at 589706@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: dave b <db.pub.mail@gmail.com>, 589706@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-openssl-devel] Bug#589706: just out of interest why hasn't the patch posted to disable SSLv2 been applied?
Date: Mon, 15 Nov 2010 18:01:55 +0100
On Mon, Nov 15, 2010 at 10:37:07PM +1100, dave b wrote:
> Just out of interest, why hasn't the patch posted to disable SSLv2
> been applied?...

Because it's rather late in the release process, and applications
can disable this themself.


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Mon, 15 Nov 2010 17:27:09 GMT) (full text, mbox, link).

Acknowledgement sent to dave b <db.pub.mail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 15 Nov 2010 17:27:09 GMT) (full text, mbox, link).

Message #20 received at 589706@bugs.debian.org (full text, mbox, reply):

From: dave b <db.pub.mail@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 589706@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-openssl-devel] Bug#589706: just out of interest why hasn't the patch posted to disable SSLv2 been applied?
Date: Tue, 16 Nov 2010 04:24:00 +1100
Erh ... the patch has been available for a long time here... I think
this is important enough to get fixed. Don't you think so?

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Mon, 15 Nov 2010 18:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 15 Nov 2010 18:15:03 GMT) (full text, mbox, link).

Message #25 received at 589706@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: dave b <db.pub.mail@gmail.com>
Cc: 589706@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#589706: just out of interest why hasn't the patch posted to disable SSLv2 been applied?
Date: Mon, 15 Nov 2010 19:14:23 +0100
On Tue, Nov 16, 2010 at 04:24:00AM +1100, dave b wrote:
> Erh ... the patch has been available for a long time here... I think
> this is important enough to get fixed. Don't you think so?

The request was made just before the freeze.  That's not a time to
start changing such an important library, since you have no idea
what will all break with such a change.


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Tue, 16 Nov 2010 04:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to dave b <db.pub.mail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 16 Nov 2010 04:51:06 GMT) (full text, mbox, link).

Message #30 received at 589706@bugs.debian.org (full text, mbox, reply):

From: dave b <db.pub.mail@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 589706@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#589706: just out of interest why hasn't the patch posted to disable SSLv2 been applied?
Date: Tue, 16 Nov 2010 15:47:33 +1100
Yes and those things SHOULD break.

Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Sun, 19 Dec 2010 19:33:08 GMT) (full text, mbox, link).

Notification sent to Kees Cook <kees@debian.org>:
Bug acknowledged by developer. (Sun, 19 Dec 2010 19:33:08 GMT) (full text, mbox, link).

Message #35 received at 589706-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: 589706-close@bugs.debian.org
Subject: Bug#589706: fixed in openssl 1.0.0c-2
Date: Sun, 19 Dec 2010 19:32:18 +0000
Source: openssl
Source-Version: 1.0.0c-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
  to main/o/openssl/libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
libssl-dev_1.0.0c-2_amd64.deb
  to main/o/openssl/libssl-dev_1.0.0c-2_amd64.deb
libssl-doc_1.0.0c-2_all.deb
  to main/o/openssl/libssl-doc_1.0.0c-2_all.deb
libssl1.0.0-dbg_1.0.0c-2_amd64.deb
  to main/o/openssl/libssl1.0.0-dbg_1.0.0c-2_amd64.deb
libssl1.0.0_1.0.0c-2_amd64.deb
  to main/o/openssl/libssl1.0.0_1.0.0c-2_amd64.deb
openssl_1.0.0c-2.debian.tar.gz
  to main/o/openssl/openssl_1.0.0c-2.debian.tar.gz
openssl_1.0.0c-2.dsc
  to main/o/openssl/openssl_1.0.0c-2.dsc
openssl_1.0.0c-2_amd64.deb
  to main/o/openssl/openssl_1.0.0c-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 589706@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Dec 2010 16:24:16 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.0c-2
Distribution: experimental
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl-doc - SSL development documentation documentation
 libssl1.0.0 - SSL shared libraries
 libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 589706
Changes: 
 openssl (1.0.0c-2) experimental; urgency=low
 .
   * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
   * Always define _GNU_SOURCE, not only for Linux.
   * Drop SSL2 support (Closes: #589706)
Checksums-Sha1: 
 c9a245f43ee90383ead3198c3ddd375c1a3a8470 1952 openssl_1.0.0c-2.dsc
 5bf1f91f596e5528fe94bb082238848310f4e036 55004 openssl_1.0.0c-2.debian.tar.gz
 95791ffb33514f8a3821670537fc5498c2053c1a 1191534 libssl-doc_1.0.0c-2_all.deb
 b8d46b2587341c63fcc0ec7b4004e1298ece7d25 687314 openssl_1.0.0c-2_amd64.deb
 41c4782c7077595e6a09c57ea89831627c8f2421 1132420 libssl1.0.0_1.0.0c-2_amd64.deb
 12df2fd3bccc5af226854f21e119bfd88304b294 720876 libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
 853fecfc04218a52e5dd0c361e9e600a45a28da8 1617070 libssl-dev_1.0.0c-2_amd64.deb
 19779b8908877b3911922c3e12f7802f4d09a2df 1982664 libssl1.0.0-dbg_1.0.0c-2_amd64.deb
Checksums-Sha256: 
 f7d12b9bd00a9538fe19b8538a7b2911f27e4d94dd6bd91ea5595006bd07b175 1952 openssl_1.0.0c-2.dsc
 52f1002a0fa3813763493fd6a3068db13d308b2ecaa3643312132efa8cfd6b9c 55004 openssl_1.0.0c-2.debian.tar.gz
 fb7e52de37b562f1e6a75e7eaa53177262ccd410b610b5541ad8b145d3a22fff 1191534 libssl-doc_1.0.0c-2_all.deb
 781c6d3c535c65f8374750aadbef1daa160d21cc62d7edce42640da3d656f608 687314 openssl_1.0.0c-2_amd64.deb
 39ef2c248e3856ecb91706ffa93a40797f65cb7473c8bc77d7a1ae1ca3587e3e 1132420 libssl1.0.0_1.0.0c-2_amd64.deb
 f603365a57f3df677b8581892bdace863a700b3061417ca45aadcead6a6bb7f1 720876 libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
 132d6086057aa0fa83a949d8cab72174ce0a43f01bf398d8bd01d251f1c4c2ce 1617070 libssl-dev_1.0.0c-2_amd64.deb
 82c83b00ceb472363f0adb1564e6f27811b4bed56122474d03e7bd79bd8328ae 1982664 libssl1.0.0-dbg_1.0.0c-2_amd64.deb
Files: 
 7175bd6cb501d327107ddcc8073f2321 1952 utils optional openssl_1.0.0c-2.dsc
 ec16c2afddf232d58d00f5d39895f226 55004 utils optional openssl_1.0.0c-2.debian.tar.gz
 88e8917cfca3d4f38d1884f64a96d0e9 1191534 doc optional libssl-doc_1.0.0c-2_all.deb
 ea8f44428b25a782759e84b3b9cd0b1b 687314 utils optional openssl_1.0.0c-2_amd64.deb
 1235707af7f10d661269219283cdbcc3 1132420 libs important libssl1.0.0_1.0.0c-2_amd64.deb
 5d3da3b53f366040bcd0a56fdffe59e7 720876 debian-installer optional libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
 dcbc561e2be8fa57193b0f80a4548a73 1617070 libdevel optional libssl-dev_1.0.0c-2_amd64.deb
 08401abe3c1f74eb7fcb1f6cdd1ac11a 1982664 debug extra libssl1.0.0-dbg_1.0.0c-2_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJNDlmvAAoJEGpMZM6DE7XwkmEQAIggnN1b0iSj1PixIqXgA+wm
o2ueiKekTKM9P75A9XFGZjjDulOLX8gIXXqoGVcKjipxT9lcbXq2jiVKIlGePLUh
WzhS3i/7wvFL1p62jU2hkI7fshVaFZwUqzJUDT379S4ZJHSSl43XiKaS2FE422qI
xXfkwBZbANBl83fR5Cvk+md1tBZFm1WIfvjPxIqskh45TovKOIh3vbSq2ygr8RKw
kXr2lQ/6tCzZkNVCs7kPYXngIFzchBdhhRdsB1J5Whf2e3AFFklPa4e4fMXNOYlU
EZCRyPdsIns8MIxFE6SG+m1opyeWwHT53kwjNfOm/Q7c7qz7STQawS/OIiTX0Sqn
Y+bT26qCtMbvLq8yAOCTgSgg785buPA4cCNisOgEJILGD84zXpdBw6th8D3yvI9C
+BghS7ZPjo9h5pI6sy2QDcbdETHItJ+9qFQb8whHaTdYTXV4EUQUhJ57ndbLBk1k
9v1Y4QPh1JGweldmq1FVB7M3lcFbGtGBc3Bew+Q/1gue3DmRT6IA6P1VMKFm3b9X
Kpj0M7w/aPRabXmDy+YiN0RsEkXxx3vdHbOOcKmMkusoyH/C7orrx3+cckt2+2pr
OUv8izINAojakcJB5DZNg46Cc75/qSAYnT7OA1cHZkhXLbWARLlPf1pcFgdCvxME
0AOAo/QdqkSZ8nAv+426
=bIia
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#589706; Package openssl. (Mon, 18 Apr 2011 11:12:15 GMT) (full text, mbox, link).

Acknowledgement sent to Sven Wick <sven.wick@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 18 Apr 2011 11:12:20 GMT) (full text, mbox, link).

Message #40 received at 589706@bugs.debian.org (full text, mbox, reply):

From: Sven Wick <sven.wick@gmx.de>
To: <589706@bugs.debian.org>
Subject: Please also remove usage option -ssl2
Date: Mon, 18 Apr 2011 13:02:02 +0200
Hi,

a "openssl s_client -connect" still lists "-ssl2" as option.
When used I get "unknown option -ssl2".
Please remove it too, if this version has no SSLv2 support anymore.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 May 2011 07:34:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 13 23:39:51 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.