Bug 937766 - VUL-0: openldap2: The Logjam Attack / weakdh.org
VUL-0: openldap2: The Logjam Attack / weakdh.org
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Peter Varkoly
Security Team bot
:
Depends on:
Blocks: CVE-2015-4000
  Show dependency treegraph
 
Reported: 2015-07-12 19:22 UTC by Marcus Meissner
Modified: 2016-05-12 14:01 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
astieger: needinfo? (varkoly)


Attachments
openldap2-fix-logjam.patch (895 bytes, patch)
2015-07-13 08:16 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-07-12 19:22:05 UTC
+++ This bug was initially created as a clone of Bug #931600 +++

openldap2 in SSL/LDAP mode, servers out diffie hellman parameters.

The DH param length depends on the key length of the server key used.

hardcoded DH params include 512bit

but also intermediate keysizes like 768 bit will cause 768 bit DH params to be used.



A minimum DH size of 1024 should be enforced to cover Logjam.
Comment 1 Swamp Workflow Management 2015-07-12 22:00:07 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2015-07-13 08:16:46 UTC
Created attachment 640689 [details]
openldap2-fix-logjam.patch

return always dh groups >= 1024 bit
Comment 3 Marcus Meissner 2015-07-13 08:18:23 UTC
we could also use 2048 as minimum actually.

please include this fix in current openldap2 submissions.
Comment 4 Peter Varkoly 2015-07-13 10:36:52 UTC
Created MR:62306
Comment 5 Marcus Meissner 2015-07-13 11:07:00 UTC
your submission also included postfix. 

can you submit via 

osc sr 

from the openldap2.SUSE_SLE-11-SP3_Update directory instewad?
Comment 7 Swamp Workflow Management 2015-07-17 11:24:21 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-07-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62222
Comment 8 Swamp Workflow Management 2015-09-03 09:10:31 UTC
SUSE-SU-2015:1482-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 924496,932773,937766
CVE References: CVE-2015-4000
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Server 11-SP4 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Server 11-SP3 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Server 11-SECURITY (src):    openldap2-client-openssl1-2.4.26-0.35.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openldap2-2.4.26-0.35.1, openldap2-client-2.4.26-0.35.1, openldap2-client-openssl1-2.4.26-0.35.1
Comment 11 Bernhard Wiedemann 2015-12-02 14:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (937766) was mentioned in
https://build.opensuse.org/request/show/347172 Factory / openldap2
Comment 14 Andreas Stieger 2016-01-14 19:46:40 UTC
For bsc#904028, bsc#937766, bsc#945582, bsc#955210 please submit for openSUSE 13.2 maintenance.
Comment 15 Bernhard Wiedemann 2016-01-18 10:00:26 UTC
This is an autogenerated message for OBS integration:
This bug (937766) was mentioned in
https://build.opensuse.org/request/show/354485 13.2 / openldap2
Comment 16 Swamp Workflow Management 2016-01-25 12:12:20 UTC
SUSE-SU-2016:0224-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Software Development Kit 12 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Server for SAP 12 (src):    openldap2-2.4.41-18.13.4
SUSE Linux Enterprise Server 12-SP1 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Server 12 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    openldap2-2.4.41-18.13.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Desktop 12 (src):    openldap2-client-2.4.41-18.13.1
Comment 17 Swamp Workflow Management 2016-01-25 12:13:59 UTC
openSUSE-SU-2016:0226-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 904028,937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
openSUSE 13.2 (src):    openldap2-2.4.39-8.9.1, openldap2-client-2.4.39-8.9.1
Comment 18 Swamp Workflow Management 2016-01-27 10:12:21 UTC
openSUSE-SU-2016:0255-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 904028,937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
openSUSE 13.1 (src):    openldap2-2.4.33-8.6.1, openldap2-client-2.4.33-8.6.1
Comment 19 Andreas Stieger 2016-01-27 15:36:17 UTC
Releasing last updates, all done
Comment 20 Swamp Workflow Management 2016-01-27 18:12:06 UTC
openSUSE-SU-2016:0261-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
openSUSE Leap 42.1 (src):    openldap2-2.4.41-11.1, openldap2-client-2.4.41-11.1
Comment 21 Swamp Workflow Management 2016-01-27 18:12:46 UTC
SUSE-SU-2016:0262-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 937766,945582
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
SUSE Studio Onsite 1.3 (src):    openldap2-client-2.4.26-0.17.23.1