Bugzilla – Bug 890771
VUL-0: CVE-2014-3511: openssl: TLS protocol downgrade attack
Last modified: 2014-09-24 07:37:44 UTC
This CVE was part of the OpenSSL Security Advisory [6 Aug 2014] (bnc#Bug 890759). OpenSSL TLS protocol downgrade attack (CVE-2014-3511) ===================================================== A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. OpenSSL 1.0.1 SSL/TLS server users should upgrade to 1.0.1i. Thanks to David Benjamin and Adam Langley (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 21st July 2014. The fix was developed by David Benjamin.
Created attachment 601527 [details] CVE-2014-3511 fix for the 0.9.8 branch. CVE-2014-3511 was not listed for the 0.9.8 branch inside the security advisory or release notes. Nevertheless there is a commit inside the 0.9.8 branch addressing this issue. https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc4bd2f287582c5f51f9549727fd5a49e9fc3012 openssl-dev ml was pinged to clarify this.
Created attachment 601529 [details] CVE-2014-3511 fix for the 1.0.1 branch.
bugbot adjusting priority
Affected packages: SLE-10-SP3-TERADATA: openssl SLE-11-SP1: openssl SLE-11-SP3: openssl, openssl1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-08-22. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58532
No need to apply the fix for the 0.9.8 branch, as this is a "TLS protocol downgrade attack". 0.9.8 only supports TLS 1.0 so nothing to downgrade too. Thanks to Rainer Canavan and Tomas Hoger for pointing this out. (it was kind of obvious after reading the answers.)
All packages have been submitted. Reassigning back to security-team.
openSUSE-SU-2014:1052-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 890764,890765,890766,890767,890768,890769,890770,890771,890772 CVE References: CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-5139 Sources used: openSUSE 13.1 (src): openssl-1.0.1i-11.52.1 openSUSE 12.3 (src): openssl-1.0.1i-1.64.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-11. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58762
released