First Last Prev Next    This bug is not in your last search results.
Bug 938906 - VUL-0: nrpe: The Logjam Attack / weakdh.org
VUL-0: nrpe: The Logjam Attack / weakdh.org
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Lars Vogdt
Security Team bot
maint:planned:update
:
Depends on:
Blocks: CVE-2015-4000
  Show dependency treegraph
 
Reported: 2015-07-21 11:13 UTC by Marcus Meissner
Modified: 2023-03-16 08:22 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
dhparamselect.c (2.13 KB, text/x-csrc)
2015-07-21 11:21 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-07-21 11:13:03 UTC 
+++ This bug was initially created as a clone of Bug #931600 +++

nrpe uses hardcoded 512 bit dh parameters.

src/nrpe.c

                /* ADDED 01/19/2004 */
                /* use only TLSv1 protocol */
                SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

                /* use anonymous DH ciphers */
                SSL_CTX_set_cipher_list(ctx,"ADH");
                dh=get_dh512();
                SSL_CTX_set_tmp_dh(ctx,dh);
                DH_free(dh);


use a DH parameter of at least 1024 if not 2048 bit.
Comment 1 Marcus Meissner 2015-07-21 11:21:45 UTC 
Created attachment 641539 [details]
dhparamselect.c

extract of sample dh selection code from Apache2 2.4.10
Comment 2 Swamp Workflow Management 2015-07-21 22:00:01 UTC 
bugbot adjusting priority
Comment 6 Johannes Segitz 2018-02-15 14:13:25 UTC 
Lars, please submit for this. Thank you.
Comment 7 Johannes Segitz 2018-02-28 12:35:15 UTC 
ping. Please submit
Comment 12 Lars Vogdt 2018-06-04 18:03:05 UTC 
Leap 42.3 => 614056
Comment 13 Lars Vogdt 2018-06-04 18:04:08 UTC 
SLE12-SP4 => (In reply to Lars Vogdt from comment #12)
> Leap 42.3 => 614056

Oops, sorry! Was: 614057
Comment 15 Swamp Workflow Management 2018-06-04 18:30:07 UTC 
This is an autogenerated message for OBS integration:
This bug (938906) was mentioned in
https://build.opensuse.org/request/show/614056 Factory / nrpe
Comment 17 Lars Vogdt 2018-06-04 18:38:15 UTC 
^ done from my side, handling over to maintenance team.
Comment 19 Swamp Workflow Management 2018-06-20 19:11:23 UTC 
SUSE-SU-2018:1768-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 938906
CVE References: CVE-2015-4000
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    nagios-nrpe-2.12-24.4.10.3.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    nagios-nrpe-2.12-24.4.10.3.3
Comment 24 Maintenance Automation 2023-03-01 16:30:08 UTC 
SUSE-SU-2023:0586-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 931600, 938906
CVE References: CVE-2015-4000
Sources used:
SUSE OpenStack Cloud 9 (src): nrpe-2.15-6.3.1
SUSE OpenStack Cloud Crowbar 9 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise Server 12 SP5 (src): nrpe-2.15-6.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): nrpe-2.15-6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Lars Vogdt 2023-03-16 08:22:52 UTC 
Looks like the maintenance bot is not working as I expected. Closing here.
First Last Prev Next    This bug is not in your last search results.