Bug 803004 - openSSL 1.0.1d breaks most, if not all, SSL connections
openSSL 1.0.1d breaks most, if not all, SSL connections
Status: RESOLVED FIXED
: 803023 (view as bug list)
Classification: openSUSE
Product: openSUSE 12.3
Classification: openSUSE
Component: Basesystem
Factory
x86-64 Other
: P1 - Urgent : Critical (vote)
: RC 2
Assigned To: Shawn Chang
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-10 20:10 UTC by Luca Beltrame
Modified: 2022-02-16 21:12 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: Yes
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luca Beltrame 2013-02-10 20:10:12 UTC
User-Agent:       Mozilla/5.0 (X11; Linux) KHTML/4.10.60 (like Gecko) Konqueror/4.10

With the update of openSSL to 1.0.1d, I found that most KDE applications were unable to use SSL because of spurious data being inserted into the data stream, causing malformed replies.

Furthermore, deeper checking showed that ANY application using SSL was failing (tested with browsers such as lynx and links). Reverting to 1.0.1c fixed the issue.


Reproducible: Always

Steps to Reproduce:
1. Run "links https://bugs.kde.org" with openSSL 1.0.1d

Actual Results:  
links displays garbage, unless openSSL is reverted to 1.0.1c

Expected Results:  
links and SSL using applications should work correctly (

Running latest Factory
Comment 1 Luca Beltrame 2013-02-10 20:24:37 UTC
It looks similar to a bug report in Gentoo, with a provided patch:
https://bugs.gentoo.org/show_bug.cgi?id=456108

Also some references upstream about regressions:

http://marc.info/?l=openssl-dev&m=136027800219045&w=2
http://marc.info/?l=openssl-dev&m=136027218016787&w=2
Comment 2 Hrvoje Senjan 2013-02-10 20:44:23 UTC
Added upstream fix for this huge regression in review request 155056 to Base:System, should be also forwarded to 12.3 ASAP.

I didn't experience the issue(s) as Luca did, however it did render NetworkManger unusable, disconnecting every 10 seconds.
Comment 3 Marcus Meissner 2013-02-10 21:38:51 UTC
I forwarded it. Thanks for the heads up, this is annoying :/
Comment 4 Cristian Rodríguez 2013-02-11 00:15:21 UTC
(In reply to comment #3)
> I forwarded it. Thanks for the heads up, this is annoying :/

The most annoying part is that the testsuite when run into the OBS did not catch it. :-|
Comment 5 Cristian Rodríguez 2013-02-11 00:43:32 UTC
Ok, attempting to reproduce with links also reveals that it is trying SSL compression and that is already compromised since CVE-2012-4929 (fixed in sr 155069)
Comment 6 Marcus Meissner 2013-02-11 10:13:21 UTC
shawn , mostly FYI .... i already forwarded the mentioned fix.
Comment 7 Shawn Chang 2013-02-11 11:00:27 UTC
hi Marcus, submit-request 155056 is already added upstream fix for this issue. Is there anything I can do?
Comment 8 Andreas Jaeger 2013-02-11 11:05:59 UTC
*** Bug 803023 has been marked as a duplicate of this bug. ***
Comment 9 Shawn Chang 2013-02-11 12:59:45 UTC
request 155056 has been accepted. I'm closing this bug...
Comment 10 Bernhard Wiedemann 2013-02-12 09:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (803004) was mentioned in
https://build.opensuse.org/request/show/155179 Factory / openssl
Comment 11 Bernhard Wiedemann 2013-02-16 10:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (803004) was mentioned in
https://build.opensuse.org/request/show/155587 Maintenance /
Comment 12 Bernhard Wiedemann 2013-02-24 12:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (803004) was mentioned in
https://build.opensuse.org/request/show/156242 Factory / links
Comment 13 Swamp Workflow Management 2013-02-25 10:05:59 UTC
openSUSE-SU-2013:0337-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 757773,802184,802746,803004
CVE References: CVE-2012-2686,CVE-2013-0166,CVE-2013-0169
Sources used:
openSUSE 12.2 (src):    openssl-1.0.1e-2.8.1
Comment 14 Swamp Workflow Management 2014-02-18 14:05:27 UTC
openSUSE-RU-2014:0249-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: recommended (moderate)
Bug References: 670526,720601,784994,793420,802184,803004,849377,856687,857203
CVE References: CVE-2011-0014,CVE-2012-4929,CVE-2013-6449,CVE-2013-6450
Sources used:
openSUSE 11.4 (src):    openssh-5.8p1-7.2, openssh-askpass-gnome-5.8p1-7.1, openssl-1.0.1e-53.1
Comment 15 Swamp Workflow Management 2022-02-16 21:12:54 UTC
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.