OpenSSL to announce new "high" severity vulnerabilities on Thursday (2015-03-19)

telephone · Mar 17, 2015

Link: [openssl-announce] Forthcoming OpenSSL releases

Forthcoming OpenSSL releases

============================

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.

Yours

The OpenSSL Project Team

---

Q. What is classified as a high severity issue?

A. "This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited."

wlanboy · Mar 17, 2015

At least they are aware of it.

telephone · Mar 19, 2015

There were two "high" severity issues announced (one was a reclassification).

Link: OpenSSL Security Advisory

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
=====================================================

Severity: High

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================

Severity: High

This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".

This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.

...

rds100 · Mar 19, 2015

Debian wheezy updated packages are already out, you can update.

mojeda · Mar 19, 2015

rds100 said:
Debian wheezy updated packages are already out, you can update.

~~They don't appear to have been updated to the version they suggest.~~

~# openssl version -v
OpenSSL 1.0.1e 11 Feb 2013

https://packages.debian.org/wheezy/openssl

Edit:

Nevermind it does appear that 1.0.1e in wheezy has been patched.

openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium

- Fix for CVE-2014-3571

- Fix for CVE-2015-0206

- Fix for CVE-2014-3569

- Fix for CVE-2014-3572

- Fix for CVE-2015-0204 <<<<<

- Fix for CVE-2015-0205

- Fix for CVE-2014-8275

- Fix for CVE-2014-3570

eva2000 · Mar 19, 2015

I believe debian like centos doesn't show full openssl version info just 1.0.1e part

Code:

/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Code:

apt-cache policy openssl
openssl:
  Installed: 1.0.1e-2+deb7u15
  Candidate: 1.0.1e-2+deb7u15
  Version table:
 *** 1.0.1e-2+deb7u15 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u13 0
        500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages

sv01 · Mar 19, 2015

mojeda said:
They don't appear to have been updated to the version they suggest.

~# openssl version -v
OpenSSL 1.0.1e 11 Feb 2013

https://packages.debian.org/wheezy/openssl

it's fixed

https://security-tracker.debian.org/tracker/CVE-2015-0291

Package: openssl
...
Version: 1.0.1e-2+deb7u15
...

OpenSSL 1.0.1e 11 Feb 2013

telephone · Mar 19, 2015

mojeda said:
They don't appear to have been updated to the version they suggest.

~# openssl version -v
OpenSSL 1.0.1e 11 Feb 2013

https://packages.debian.org/wheezy/openssl

Check the security page: https://security-tracker.debian.org/tracker/source-package/openssl

Here's the info on the reclassified RSA issue (fixed in Squeeze LTS and Wheezy Security): https://security-tracker.debian.org/tracker/CVE-2015-0204

centoslgd · Mar 19, 2015

Has to be year of vulnerabilities & exploits & it is just march with 9 more months ahead.

centoslgd · Mar 20, 2015

rds100 said:
Debian wheezy updated packages are already out, you can update.

eva2000 said:
I believe debian like centos doesn't show full openssl version info just 1.0.1e part

/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Code:

apt-cache policy openssl openssl: Installed: 1.0.1e-2+deb7u15 Candidate: 1.0.1e-2+deb7u15 Version table: *** 1.0.1e-2+deb7u15 0 500 http://security.debian.org/ wheezy/updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.1e-2+deb7u13 0 500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages

Any package updates for CentOS out yet?

Licensecart · Mar 20, 2015

eva2000 said:
I believe debian like centos doesn't show full openssl version info just 1.0.1e part

/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Code:

apt-cache policy openssl openssl: Installed: 1.0.1e-2+deb7u15 Candidate: 1.0.1e-2+deb7u15 Version table: *** 1.0.1e-2+deb7u15 0 500 http://security.debian.org/ wheezy/updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.1e-2+deb7u13 0 500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages

I use this:

Code:

[root@test3 ~]# rpm -qa | grep openssl
openssl-devel-1.0.1e-30.el6_6.5.x86_64
openssl-1.0.1e-30.el6_6.5.x86_64
[root@test3 ~]#

AnthonySmith · Mar 20, 2015

I love the 'oh shit' tag

eva2000 · Mar 20, 2015

centoslgd said:
Any package updates for CentOS out yet?

not yet

luckily my Centmin Mod LEMP stack's Nginx uses static compiled OpenSSL version so updated that to 1.0.2a already for front facing web sites at least https://community.centminmod.com/threads/openssl-1-0-2a-1-0-1m-1-0-0r-0-9-8zf-coming-soon.2504/

now to wait on CentOS YUM packages updates.

wlanboy · Mar 21, 2015

Don't forget to compile all those Phyton, Ruby, PHP bindings against openssl lib again.

One advantage if you use packages instead of compiling everything on your own.

weloveservers · Mar 30, 2015

Worrying since more vulnerabilities are being found in 'enterprise' software, again. If heart-bleed weren't bad enough.

OpenSSL to announce new "high" severity vulnerabilities on Thursday (2015-03-19)

telephone

New Member

wlanboy

Content Contributer

telephone

New Member

rds100

New Member

mojeda

New Member

eva2000

Active Member

sv01

Slow but sure

telephone

New Member

centoslgd

New Member

centoslgd

New Member

Licensecart

Active Member

AnthonySmith

New Member

eva2000

Active Member

wlanboy

Content Contributer

weloveservers

New Member