Hi, It seems that some other vendors like redhat have already addressed this years ago, but there doesn't seem to be a CVE for it. Could someone get a CVE assigned to this?
I don't plan to make the same change to the header, since we would need to rebuild everything to get that option turned off. I plan to just change the library to make that option do nothing. Kurt On Mon, May 18, 2009 at 08:49:39AM +0200, Jürgen Heil wrote: > Hi! > > We ran into this bug during our last Qualys security scan. It is reported as > a Level 3 Vulnerability and as such not compliant to the Payment Card Data > Security Standard (PCI DSS) as required by Visa and Mastercard. > > ============================================= > = Here is the Qualys vulnerability description: > == > > # Diagnosis > Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is > initially established, the first available cipher is used. If a session is > resumed, a different cipher may be chosen if it appears in the passed cipher > list before the session's current cipher. This bug can be used to change > ciphers on the server. OpenSSL contains this bug if the > SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. > This option was introduced for compatibility reasons. The problem arises > when different applications using OpenSSL's libssl library enable all > compatibility options including SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, > thus enabling the bug. > > # Consequence > A malicious legitimate client can enforce a ciphersuite not supported by the > server to be used for a session between the client and the server. This can > result in disclosure of sensitive information. > > # Solution > This problem can be fixed by disabling the SSL OP NETSCAPE REUSE > CIPHER_CHANGE_BUG option from the options list of OpenSSL's libssl library. > This can be done by replacing the SSL OP ALL definition in the openssl/ssl.h > file with the following line: > > #define SSL OP ALL (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) > > Unfortunately there is no CVE number. I've found a discussion of this bug on > the OpenSSL developer mailing list. > http://marc.info/?l=openssl-dev&m=109532567028570&w=2 > > Could you be so kind to address this issue in a future openssl/libssl0.9.8 > release? > > Thank you very much! > > Best regards, > > Juergen Heil > > > > > > _______________________________________________ > Pkg-openssl-devel mailing list > pkg-openssl-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/pkg-openssl-devel > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
