Bug 931723 - VUL-1: apache2: The Logjam Attack / weakdh.org
VUL-1: apache2: The Logjam Attack / weakdh.org
: 957931 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-05-20 18:18 UTC by Marcus Meissner
Modified: 2017-07-18 14:51 UTC (History)
21 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

apache2-2.4.10-ssl.patch (172.75 KB, patch)
2015-07-17 14:20 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-05-20 18:18:35 UTC
+++ This bug was initially created as a clone of Bug #931600 +++

The apache 2.2.12 version in SLE11 has:

selection of either dh512 or dh1024 parameter, depending on server key size.

So it usually will select 1024 bit keys.

A dhparam override option does not exist currently (there is one, but it is not hooked up in the config framework at this time).

apache 2.4 in SLE12

A SSLCertificateFile statement can be used for specifying DH Params. (untested, just source code checking)
Comment 3 Marcus Meissner 2015-05-21 13:49:41 UTC
actually for SLE12:

create the dhparams with e.g.:

openssl dhparam -out dhparams.pem 2048

then _append_ this to the server certicate file.

cat dhparams.pem >> /etc/apache2/ssl.crt/server.crt
Comment 5 Marcus Meissner 2015-05-22 11:44:02 UTC
Note that if apache2 on SLE11 already has the export ciphers disabled, it is not be affected by the DHE_EXPORT downgrade attack either.

It will just use the not-so-unique 1024bit group.
Comment 6 Branislav Havel 2015-05-27 08:15:14 UTC
Just a question on behalf of the customer whether we have any ETA when the patch is supposed to be released? Thank you
Comment 7 Branislav Havel 2015-06-08 08:33:36 UTC
I am sorry to ask you again, anyway, do we have any dates when the patch is supposed to be released? 

Thank you
Comment 8 Wolfgang Rosenauer 2015-06-17 09:06:32 UTC
(In reply to Marcus Meissner from comment #3)
> actually for SLE12:
> create the dhparams with e.g.:
> openssl dhparam -out dhparams.pem 2048
> then _append_ this to the server certicate file.
> cat dhparams.pem >> /etc/apache2/ssl.crt/server.crt

This works also on RHEL and CentOS 6 with Apache 2.2.15.
Seems it can be patched for Apache 2.2 for older releases than SLE12?
Comment 9 Klaus Vink Slott 2015-06-23 10:54:30 UTC
(In reply to Wolfgang Rosenauer from comment #8)
> (In reply to Marcus Meissner from comment #3)
> > then _append_ this to the server certicate file.
> This works also on RHEL and CentOS 6 with Apache 2.2.15.
> Seems it can be patched for Apache 2.2 for older releases than SLE12?

At the moment it does not seem possible to get a A rating on www.ssllabs.com/ssltest using Apache on OpenSUSE 13.1 based server

Although B is not bad*, we would really appreciate a fix for apache2-2.4 as included in OS13.1. Especially as it seems that 13.1 will be the next Evergreen 

*).. but all my friends runs Ubuntu's with an A rating :-/
Comment 10 James Carter 2015-07-16 22:31:41 UTC
I have OpenSuSE-13.1 with the stock apache2-2.4.6-6.47.1 and
openssl-1.0.1k-11.72.1 . In responding to Logjam (CVE-2015-4000), I'm
very tempted to upgrade to apache2-2.4.12 from the OpenSuSE-13.1 Apache
sub-repo, and to install openssl-1.0.2 from Tumbleweed (if no dependency
problems) or one of the community developers with 13.1 packages.  What
holds me back is, future security patches will use the stock versions as
a base, and if I make these upgrades I will miss future patches for
other issues until probably the OpenSuSE version after 13.2, which is a
very big negative factor.

So I'd like to request that the stock apache2 for OpenSuSE-13.1 should
gain the ability to use locally generated Diffie-Hellman parameters,
either by backporting or by upgrading the version.

As for which patch to backport, the one from apache-2.4.7 appears to make
the smallest code changes, and will work with openssl-0.9.8.  But the
sysadmin needs to append the DH parameters to his host certificate,
which is a problem if he's ultra-paranoid and changes them on a
schedule, or if the host cert is replaced the DH parameters may be
forgotten.  Also I'm using a concatenated file with the key, cert, and
(intermediate) CAs in that order.  Some guidance would be appreciated:
should the DH params come after the host cert, or at the end of the

The patch from apache-2.4.8 that introduces the SSLOpenSSLConfCmd
DHParameters directive is going to be a whole lot easier for the
sysadmin, but more disruptive for the distro, since it requires
advancing to openssl-1.0.2.  But perhaps the security team thinks an
eventual transition to 1.0.2 is inevitable.  As the sysadmin, I would
prefer this backport or version upgrade.
Comment 11 Marcus Meissner 2015-07-17 13:44:36 UTC
the transition to 1.0.2 is done in factory and there all should be fine.

also 13.2 is good.

I am currently trying out to just diff modules/ssl/ between 13.1 and 13.2, apply that on top of 13.2 and submit it.
Comment 12 Marcus Meissner 2015-07-17 13:56:51 UTC
if you are curious
Comment 13 Marcus Meissner 2015-07-17 14:20:53 UTC
Created attachment 641266 [details]

patch for opensuse 13.1.
Comment 15 Swamp Workflow Management 2015-07-24 12:08:25 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-08-07.
When done, reassign the bug to security-team@suse.de.
Comment 18 Bernhard Wiedemann 2015-08-12 08:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (931723) was mentioned in
https://build.opensuse.org/request/show/322025 Factory / apache2
Comment 19 Kristyna Streitova 2015-09-23 14:07:51 UTC
Submitted to openSUSE 13.2: https://build.opensuse.org/request/show/333177
Comment 20 Marcel Pennewiß 2015-09-28 15:15:40 UTC
Will this also be fixed in openSUSE 13.1 which is also currently in support?
Comment 21 Swamp Workflow Management 2015-10-06 07:09:35 UTC
openSUSE-SU-2015:1684-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 931723,938723,938728
CVE References: CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
Sources used:
openSUSE 13.2 (src):    apache2-2.4.10-28.1
openSUSE 13.1 (src):    apache2-2.4.6-6.50.1
Comment 23 Swamp Workflow Management 2015-10-30 16:12:11 UTC
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771
CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    apache2-2.4.10-14.10.1
SUSE Linux Enterprise Server 12 (src):    apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1
SUSE Enterprise Storage 1.0 (src):    apache2-mod_fastcgi-2.4.7-3.4.1
Comment 24 Paolo Panto 2016-01-08 09:39:54 UTC
*** Bug 957931 has been marked as a duplicate of this bug. ***
Comment 25 Victor Pereira 2016-03-22 14:21:48 UTC
everything fixed and released.