[Bug 803004] New: openSSL 1.0.1d breaks most, if not all, SSL connections
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c0 Summary: openSSL 1.0.1d breaks most, if not all, SSL connections Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lbeltrame@kde.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux) KHTML/4.10.60 (like Gecko) Konqueror/4.10 With the update of openSSL to 1.0.1d, I found that most KDE applications were unable to use SSL because of spurious data being inserted into the data stream, causing malformed replies. Furthermore, deeper checking showed that ANY application using SSL was failing (tested with browsers such as lynx and links). Reverting to 1.0.1c fixed the issue. Reproducible: Always Steps to Reproduce: 1. Run "links https://bugs.kde.org" with openSSL 1.0.1d Actual Results: links displays garbage, unless openSSL is reverted to 1.0.1c Expected Results: links and SSL using applications should work correctly ( Running latest Factory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c1 Luca Beltrame <lbeltrame@kde.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.gentoo.org/sho | |w_bug.cgi?id=456108 --- Comment #1 from Luca Beltrame <lbeltrame@kde.org> 2013-02-10 20:24:37 UTC --- It looks similar to a bug report in Gentoo, with a provided patch: https://bugs.gentoo.org/show_bug.cgi?id=456108 Also some references upstream about regressions: http://marc.info/?l=openssl-dev&m=136027800219045&w=2 http://marc.info/?l=openssl-dev&m=136027218016787&w=2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c2 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent Component|Basesystem |Basesystem Version|Final |Factory Product|openSUSE 12.1 |openSUSE 12.3 Target Milestone|--- |RC 2 Severity|Major |Critical --- Comment #2 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2013-02-10 20:44:23 UTC --- Added upstream fix for this huge regression in review request 155056 to Base:System, should be also forwarded to 12.3 ASAP. I didn't experience the issue(s) as Luca did, however it did render NetworkManger unusable, disconnecting every 10 seconds. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c3 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #3 from Marcus Meissner <meissner@suse.com> 2013-02-10 21:38:51 UTC --- I forwarded it. Thanks for the heads up, this is annoying :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c4 Cristian Rodríguez <crrodriguez@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocker|--- |Yes --- Comment #4 from Cristian Rodríguez <crrodriguez@opensuse.org> 2013-02-10 21:15:21 CLST --- (In reply to comment #3)
I forwarded it. Thanks for the heads up, this is annoying :/
The most annoying part is that the testsuite when run into the OBS did not catch it. :-| -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c5 --- Comment #5 from Cristian Rodríguez <crrodriguez@opensuse.org> 2013-02-10 21:43:32 CLST --- Ok, attempting to reproduce with links also reveals that it is trying SSL compression and that is already compromised since CVE-2012-4929 (fixed in sr 155069) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c6 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |shchang@suse.com |ovo.novell.com | --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-02-11 10:13:21 UTC --- shawn , mostly FYI .... i already forwarded the mentioned fix. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c7 --- Comment #7 from Shawn Chang <shchang@suse.com> 2013-02-11 11:00:27 UTC --- hi Marcus, submit-request 155056 is already added upstream fix for this issue. Is there anything I can do? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c8 Andreas Jaeger <aj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@suse.com --- Comment #8 from Andreas Jaeger <aj@suse.com> 2013-02-11 11:05:59 UTC --- *** Bug 803023 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=803023 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c9 Shawn Chang <shchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #9 from Shawn Chang <shchang@suse.com> 2013-02-11 12:59:45 UTC --- request 155056 has been accepted. I'm closing this bug... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-02-12 10:00:08 CET --- This is an autogenerated message for OBS integration: This bug (803004) was mentioned in https://build.opensuse.org/request/show/155179 Factory / openssl -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:1344:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c11 --- Comment #11 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-02-16 11:00:32 CET --- This is an autogenerated message for OBS integration: This bug (803004) was mentioned in https://build.opensuse.org/request/show/155587 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-02-24 13:00:07 CET --- This is an autogenerated message for OBS integration: This bug (803004) was mentioned in https://build.opensuse.org/request/show/156242 Factory / links -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c13 --- Comment #13 from Swamp Workflow Management <swamp@suse.de> 2013-02-25 10:05:59 UTC --- openSUSE-SU-2013:0337-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 757773,802184,802746,803004 CVE References: CVE-2012-2686,CVE-2013-0166,CVE-2013-0169 Sources used: openSUSE 12.2 (src): openssl-1.0.1e-2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=803004 https://bugzilla.novell.com/show_bug.cgi?id=803004#c14 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> 2014-02-18 14:05:27 UTC --- openSUSE-RU-2014:0249-1: An update that solves four vulnerabilities and has 5 fixes is now available. Category: recommended (moderate) Bug References: 670526,720601,784994,793420,802184,803004,849377,856687,857203 CVE References: CVE-2011-0014,CVE-2012-4929,CVE-2013-6449,CVE-2013-6450 Sources used: openSUSE 11.4 (src): openssh-5.8p1-7.2, openssh-askpass-gnome-5.8p1-7.1, openssl-1.0.1e-53.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=803004 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:1344:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com