Bugzilla – Bug 931723
VUL-1: apache2: The Logjam Attack / weakdh.org
Last modified: 2017-07-18 14:51:57 UTC
+++ This bug was initially created as a clone of Bug #931600 +++ The apache 2.2.12 version in SLE11 has: selection of either dh512 or dh1024 parameter, depending on server key size. So it usually will select 1024 bit keys. A dhparam override option does not exist currently (there is one, but it is not hooked up in the config framework at this time). apache 2.4 in SLE12 A SSLCertificateFile statement can be used for specifying DH Params. (untested, just source code checking)
actually for SLE12: create the dhparams with e.g.: openssl dhparam -out dhparams.pem 2048 then _append_ this to the server certicate file. cat dhparams.pem >> /etc/apache2/ssl.crt/server.crt
Note that if apache2 on SLE11 already has the export ciphers disabled, it is not be affected by the DHE_EXPORT downgrade attack either. It will just use the not-so-unique 1024bit group.
Just a question on behalf of the customer whether we have any ETA when the patch is supposed to be released? Thank you
I am sorry to ask you again, anyway, do we have any dates when the patch is supposed to be released? Thank you
(In reply to Marcus Meissner from comment #3) > actually for SLE12: > > create the dhparams with e.g.: > > openssl dhparam -out dhparams.pem 2048 > > then _append_ this to the server certicate file. > > cat dhparams.pem >> /etc/apache2/ssl.crt/server.crt This works also on RHEL and CentOS 6 with Apache 2.2.15. Seems it can be patched for Apache 2.2 for older releases than SLE12?
(In reply to Wolfgang Rosenauer from comment #8) > (In reply to Marcus Meissner from comment #3) .. > > then _append_ this to the server certicate file. ... > This works also on RHEL and CentOS 6 with Apache 2.2.15. > Seems it can be patched for Apache 2.2 for older releases than SLE12? At the moment it does not seem possible to get a A rating on www.ssllabs.com/ssltest using Apache on OpenSUSE 13.1 based server Although B is not bad*, we would really appreciate a fix for apache2-2.4 as included in OS13.1. Especially as it seems that 13.1 will be the next Evergreen *).. but all my friends runs Ubuntu's with an A rating :-/
I have OpenSuSE-13.1 with the stock apache2-2.4.6-6.47.1 and openssl-1.0.1k-11.72.1 . In responding to Logjam (CVE-2015-4000), I'm very tempted to upgrade to apache2-2.4.12 from the OpenSuSE-13.1 Apache sub-repo, and to install openssl-1.0.2 from Tumbleweed (if no dependency problems) or one of the community developers with 13.1 packages. What holds me back is, future security patches will use the stock versions as a base, and if I make these upgrades I will miss future patches for other issues until probably the OpenSuSE version after 13.2, which is a very big negative factor. So I'd like to request that the stock apache2 for OpenSuSE-13.1 should gain the ability to use locally generated Diffie-Hellman parameters, either by backporting or by upgrading the version. As for which patch to backport, the one from apache-2.4.7 appears to make the smallest code changes, and will work with openssl-0.9.8. But the sysadmin needs to append the DH parameters to his host certificate, which is a problem if he's ultra-paranoid and changes them on a schedule, or if the host cert is replaced the DH parameters may be forgotten. Also I'm using a concatenated file with the key, cert, and (intermediate) CAs in that order. Some guidance would be appreciated: should the DH params come after the host cert, or at the end of the file? The patch from apache-2.4.8 that introduces the SSLOpenSSLConfCmd DHParameters directive is going to be a whole lot easier for the sysadmin, but more disruptive for the distro, since it requires advancing to openssl-1.0.2. But perhaps the security team thinks an eventual transition to 1.0.2 is inevitable. As the sysadmin, I would prefer this backport or version upgrade.
the transition to 1.0.2 is done in factory and there all should be fine. also 13.2 is good. I am currently trying out to just diff modules/ssl/ between 13.1 and 13.2, apply that on top of 13.2 and submit it.
home:msmeissn:branches:openSUSE:13.1:Update/apache2.openSUSE_13.1_Update if you are curious
Created attachment 641266 [details] apache2-2.4.10-ssl.patch patch for opensuse 13.1.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-08-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62232
This is an autogenerated message for OBS integration: This bug (931723) was mentioned in https://build.opensuse.org/request/show/322025 Factory / apache2
Submitted to openSUSE 13.2: https://build.opensuse.org/request/show/333177
Will this also be fixed in openSUSE 13.1 which is also currently in support?
openSUSE-SU-2015:1684-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 931723,938723,938728 CVE References: CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: openSUSE 13.2 (src): apache2-2.4.10-28.1 openSUSE 13.1 (src): apache2-2.4.6-6.50.1
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771 CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12 (src): apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1 SUSE Enterprise Storage 1.0 (src): apache2-mod_fastcgi-2.4.7-3.4.1
*** Bug 957931 has been marked as a duplicate of this bug. ***
everything fixed and released.