Bugzilla – Bug 1157541
VUL-0: CVE-2019-3700: yast: Fallback to DES without configuration in /etc/login.def
Last modified: 2024-05-06 11:53:22 UTC
+++ This bug was initially created as a clone of Bug #1155735 +++ i left the original bug as this can be used to fix the bug that YaST doesn't check the new location in /usr This is a serious problem and must be solved ASAP. We assigned CVE-2019-3700 for this since this is an instance of CWE-327: Use of a Broken or Risky Cryptographic Algorithm From my POV we should: - Change the default so that YaST uses secure settings if it doesn't find any configured. - Warn users that have passwords that are affected and aid them in changing them
A PR to solve this issue is under review: https://github.com/yast/yast-security/pull/61
We have submitted a hotfix that changes the default encryption method from DES to SHA512 in yast2-security 4.2.6. * SR#750297 for OBS: https://build.opensuse.org/request/show/750297 * SR#205969 for IBS: https://build.suse.de/request/show/205969
great, thank you for you quick reaction!
This bug was introduced in Factory with https://build.opensuse.org/request/show/736424 on 2019-10-22 and was also part of the 20191022 snapshot.
Any plan to notify users?
After the initial patch, we are releasing most probably today another fix so security settings are finally read from /usr/etc/login.defs too, which fixes bug 1155735. However, we are still deciding the best way to notify users. Bear in mind that, even if we implement some mechanism in YaST, you will not get any notification unless you start YaST. So maybe, apart from a proper announcement, checking the password mechanisms in /etc/shadow during packages upgrade could be the way. Do any of you have a better idea or any preference?
(In reply to Imobach Gonzalez Sosa from comment #6) We will describe the impact of this and ways to mitigate in the patch that we'll release. CCing our current update manager so that he's aware Apart from that I think a mail to opensuse-factory would be appropriate. I'll only affect a limited amount of users and I hope that we'll reach most of them this way
(In reply to Johannes Segitz from comment #7) > (In reply to Imobach Gonzalez Sosa from comment #6) > We will describe the impact of this and ways to mitigate in the patch that > we'll release. CCing our current update manager so that he's aware > > Apart from that I think a mail to opensuse-factory would be appropriate. > I'll only affect a limited amount of users and I hope that we'll reach most > of them this way I would ideally suggest a post-install RPM message which requires acknowledgement. Is it too invasive to make the message conditional on there being a DES hash in /etc/shadow ? I posted about this bug on the openSUSE reddit and found a number (>10 out of the few 100's who read reddit) of people were affected and have not been reading -factory, so I am concerned that an email on the ML is not enough. This bug could lurk forever, even through upgrades, if the user isn't aware. https://www.reddit.com/r/openSUSE/comments/dztn5j/important_for_anyone_who_installed_fresh/
All done, closing.