Bug 938905 - VUL-1: inn: The Logjam Attack / weakdh.org
VUL-1: inn: The Logjam Attack / weakdh.org
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Major
: ---
Assigned To: Michael Schröder
Security Team bot
Depends on:
Blocks: CVE-2015-4000
  Show dependency treegraph
Reported: 2015-07-21 11:05 UTC by Marcus Meissner
Modified: 2017-03-02 14:10 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-07-21 11:05:37 UTC
+++ This bug was initially created as a clone of Bug #931600 +++

INN uses a DH param selection that would violate logjam constraints.

static DH *tmp_dh_cb(SSL *s UNUSED, int export UNUSED, int keylength)

selects depending on keysize 512, 1024, ...  or bitlength(key) DH parameters.

It should only selects DH parameters >= 1024 bit.

This would happen for customers with old RSA keys < 1024 bits.

Please add:

if (keylength < 1024) keylength = 1024;

at the begin of this function.

(as probably only a small number of customers use inn and use inn with ssl, this can be delayed a bit)
Comment 1 Swamp Workflow Management 2015-07-21 21:59:50 UTC
bugbot adjusting priority