Bug 1031023 – VUL-0: CVE-2014-3566: slrn: disable SSLv3 to prevent POODLE attack

Bug 1031023 - VUL-0: CVE-2014-3566: slrn: disable SSLv3 to prevent POODLE attack


Summary:	VUL-0: CVE-2014-3566: slrn: disable SSLv3 to prevent POODLE attack

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.2

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Andreas Stieger
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/182291/
Whiteboard:
Keywords:

Depends on:
Blocks:	CVE-2014-3566
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-03-26 15:42 UTC by Andreas Stieger
Modified:	2017-05-03 10:00 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-03-26 15:42:41 UTC

+++ This bug was initially created as a clone of Bug #901223 +++

From http://slrn.sourceforge.net/docs/changes.txt

> 3. src/sltcp.c: Disable support for SSLv3, which is vulnerable to
>    POODLE attacks.

From cd7df64080841a70efec49cd1d836743beb66b68 Mon Sep 17 00:00:00 2001
From: "John E. Davis" <jed@jedsoft.org>
Date: Mon, 1 Jun 2015 18:07:50 -0400
Subject: [PATCH 1/2] pre1.0.3-3: Disable support for SSLv3, which is
 vulnerable to POODLE attacks.

From 976fe373672edc9abc14e8951c253ad60a8c3bfb Mon Sep 17 00:00:00 2001
From: "John E. Davis" <jed@jedsoft.org>
Date: Tue, 2 Jun 2015 10:09:37 -0400
Subject: [PATCH 2/2] pre1.0.3-4: My previous commit introduced a typo.

diff --git a/src/sltcp.c b/src/sltcp.c
index b8528d7..455fbf3 100644
--- a/src/sltcp.c
+++ b/src/sltcp.c
@@ -573,7 +573,9 @@ static SSL *alloc_ssl (void)
             print_error (_("SSL_CTX_new failed.\n"));
             return NULL;
          }
-       /* SSL_CTX_set_options (c, SSL_OP_NO_TLSv1); */
+
+       /* SSLv3 is vulnerable to POODLE attacks.  Do not use it. */
+       SSL_CTX_set_options (c, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
        This_SSL_Ctx = c;
        atexit (deinit_ssl);

Comment 1 Andreas Stieger 2017-03-26 16:00:13 UTC

https://build.opensuse.org/request/show/482750
https://build.opensuse.org/request/show/482751
Submitted. If you like them, please process the above.

Comment 2 Andreas Stieger 2017-03-28 10:53:08 UTC

(In reply to Andreas Stieger from comment #1)
> https://build.opensuse.org/request/show/482750
> https://build.opensuse.org/request/show/482751

Vladimir, is that something you could review please?

Comment 3 Andreas Stieger 2017-04-06 08:02:41 UTC

Guido, please process
https://build.opensuse.org/request/show/482750

Comment 4 Andreas Stieger 2017-04-11 12:11:11 UTC

also submitted for factory

Comment 5 Bernhard Wiedemann 2017-04-11 14:01:50 UTC

This is an autogenerated message for OBS integration:
This bug (1031023) was mentioned in
https://build.opensuse.org/request/show/487324 Factory / slrn

Comment 6 Swamp Workflow Management 2017-04-11 16:10:47 UTC

openSUSE-SU-2017:0980-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1031023
CVE References: CVE-2014-3566
Sources used:
openSUSE Leap 42.2 (src):    slrn-1.0.3-4.3.1
openSUSE Leap 42.1 (src):    slrn-1.0.3-4.1

Comment 7 Bernhard Wiedemann 2017-05-03 10:00:48 UTC

This is an autogenerated message for OBS integration:
This bug (1031023) was mentioned in
https://build.opensuse.org/request/show/492596 Factory / slrn