742821 – (CVE-2012-0050) VUL-0: CVE-2012-0050: openssl: recent openssl update introduced DTLS DoS

Bug 742821 (CVE-2012-0050) - VUL-0: CVE-2012-0050: openssl: recent openssl update introduced DTLS DoS

Summary: VUL-0: CVE-2012-0050: openssl: recent openssl update introduced DTLS DoS

Status:	RESOLVED FIXED

Alias:	CVE-2012-0050

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2012-02-13
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	maint:released:11.4:45324 maint:relea...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2012-01-23 10:39 UTC by Sebastian Krahmer
Modified:	2022-04-05 14:13 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2012-01-23 10:39:47 UTC

Seems like the recent upstream openssl fix was not very clean:

http://www.h-online.com/open/news/item/OpenSSL-fixes-DoS-bug-in-recent-bug-fix-1417352.html

Comment 1 Marcus Meissner 2012-01-23 15:52:58 UTC

http://www.openssl.org/news/secadv_20120118.txt

OpenSSL Security Advisory [18 Jan 2012]
=======================================

DTLS DoS attack (CVE-2012-0050)
================================

A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
service attack. Only DTLS applications using OpenSSL 1.0.0f and
0.9.8s are affected.


Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix.

Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t.

References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120118.txt

Comment 2 Swamp Workflow Management 2012-01-23 23:00:26 UTC

bugbot adjusting priority

Comment 3 Swamp Workflow Management 2012-01-30 14:22:42 UTC

The SWAMPID for this issue is 45242.
This issue was rated as moderate.
Please submit fixed packages until 2012-02-13.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 8 Guan Jun He 2012-02-02 07:33:30 UTC

patch submitted to sle10sp3/sle10sp4/sle11/sle11sp1

for openSuSE:
patch submitted to 12.1/11.4/11.3 
for Base:System, package has been updated to latest atble version 1.0.0g.


fixed.

Comment 9 Roman Drahtmueller 2012-02-06 15:41:42 UTC

Guan Jun,

can you please revoke the submission to sle11-sp1
and back out the bnc#704832 fix with the renegotiation?
While the approach has its rewards, we cannot include it
into the service pack at this time any more (it would have been
a good candidate for October). As an additional hurdle, the
scoreboard only helps if a single process handles multiple
connections - not the case with most applications. As a 
consequence, the process would have to write into something
like a shared memory segment or similar, to register
connections.
Have you tried proposing the approach upstream? I think that
it is definitely worth it.

For the update to sle11-sp1:

Can you please submit a package that contains the fix for 
bnc#739719:
Tue Jan 10 13:29:30 UTC 2012 - gjhe@suse.com

bnc#742821:
Thu Feb  2 06:33:37 UTC 2012 - gjhe@suse.com


and in addition the fix that I have included in an earlier submission,
Mon Jan 30 11:41:16 CET 2012 - draht@suse.de

- openssl-add_sha256_sha512.diff: Add the SHA256 and SHA512 families
  to the hash algos by default to avoid explicit initialization by
  applications.

(which was stacking on your Jan 10 submission)
The patch is attached in https://bugzilla.novell.com/show_bug.cgi?id=743344

Comment 10 Roman Drahtmueller 2012-02-08 17:42:34 UTC

submission for sle11 was from sle11-ga, not from sle11-sp1. The submitted
package is not incremental, and the fix for
https://bugzilla.novell.com/show_bug.cgi?id=743344 is missing.

three changes to the previous package are needed:
1) _this_ bug: bnc#739719 
2) bnc#742821: recent openssl update introduced DTLS DoS
3) bnc#743344: activation of sha2 family hash algos. Patch is 
https://bugzilla.novell.com/attachment.cgi?id=472701
suggested changelog: 
- openssl-add_sha256_sha512.diff: Add the SHA256 and SHA512 families
  to the hash algos by default to avoid explicit initialization by
  applications.

Cross-posting to https://bugzilla.novell.com/show_bug.cgi?id=742821 for
completeness.

Thank you,
Roman.

Comment 11 Roman Drahtmueller 2012-02-08 17:42:58 UTC

submission for sle11 was from sle11-ga, not from sle11-sp1. The submitted
package is not incremental, and the fix for
https://bugzilla.novell.com/show_bug.cgi?id=743344 is missing.

three changes to the previous package are needed:
1) _this_ bug: bnc#739719 
2) bnc#742821: recent openssl update introduced DTLS DoS
3) bnc#743344: activation of sha2 family hash algos. Patch is 
https://bugzilla.novell.com/attachment.cgi?id=472701
suggested changelog: 
- openssl-add_sha256_sha512.diff: Add the SHA256 and SHA512 families
  to the hash algos by default to avoid explicit initialization by
  applications.

Thank you,
Roman.

Comment 12 Guan Jun He 2012-02-09 05:56:56 UTC

(In reply to comment #11)
> submission for sle11 was from sle11-ga, not from sle11-sp1. The submitted
> package is not incremental, and the fix for

What do you mean? 
submission to sle11 was from SUSE:SLE-11:Update:Test ;
And, submission for sle11-sp1 was from SUSE:SLE-11-SP1:Update:Test ,
what's wrong? 

thanks,
Guanjun

Comment 13 Guan Jun He 2012-02-09 06:17:20 UTC

(In reply to comment #9)
> 
> Can you please submit a package that contains the fix for 
> bnc#739719:

this has been fixed long time ago, could you check that?

> 
> bnc#742821:

patch submitted long time ago, then you guys did not accept the DoS patch, so just revoke it should be ok. and will be processed soon.

> 
> 
> and in addition the fix that I have included in an earlier submission,
> Mon Jan 30 11:41:16 CET 2012 - draht@suse.de
> 
> - openssl-add_sha256_sha512.diff: Add the SHA256 and SHA512 families
>   to the hash algos by default to avoid explicit initialization by
>   applications.
> 
> (which was stacking on your Jan 10 submission)
> The patch is attached in https://bugzilla.novell.com/show_bug.cgi?id=743344

which version is it from? I think it's better you handle it yourself.thanks.

Comment 14 Marcus Meissner 2012-02-09 13:14:17 UTC

sles9-sp3-teradata is not affected, as openssl 0.9.7 did not include DTLS support yet.

Comment 15 Roman Drahtmueller 2012-02-09 16:17:51 UTC

Thank you very much, Guan Jun! :)

Submission against SUSE:SLE-11-SP1:Update:Test,
request id 17685, shall supersede submission with last changelog:

Tue Jan 10 13:29:30 UTC 2012 - gjhe@suse.com
- fix security bug [bnc#739719] -  various security issues

...

Comment 16 Swamp Workflow Management 2012-02-17 10:42:01 UTC

Update released for: libopenssl-devel, libopenssl1_0_0, libopenssl1_0_0-debuginfo, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
openSUSE 11.4 (debug, i586, x86_64)

Comment 17 Swamp Workflow Management 2012-02-17 17:09:21 UTC

Update released for: openssl, openssl-32bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-doc
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 18 Swamp Workflow Management 2012-02-18 05:49:15 UTC

Update released for: libopenssl-devel, libopenssl0_9_8, libopenssl0_9_8-32bit, libopenssl0_9_8-x86, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 19 Swamp Workflow Management 2012-02-18 06:45:15 UTC

Update released for: openssl, openssl-32bit, openssl-64bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-devel-64bit, openssl-doc, openssl-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 20 Marcus Meissner 2012-02-20 09:06:58 UTC

released

Comment 21 Swamp Workflow Management 2012-05-30 17:54:10 UTC

Update released for: openssl, openssl-32bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-doc
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)