[gentoo-announce] [ GLSA 201404-07 ] OpenSSL: Information Disclosure - gentoo-announce

From:	Mikle Kolyada <zlogene@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201404-07 ] OpenSSL: Information Disclosure
Date:	Tue, 08 Apr 2014 10:34:46
Message-Id:	`5343D195.2030207@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201404-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: OpenSSL: Information Disclosure

9

     Date: April 08, 2014

10

     Bugs: #505278, #507074

11

       ID: 201404-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple Information Disclosure vulnerabilities in OpenSSL allow remote

19

attackers to obtain sensitive information via various vectors.

20

21

Background

22

==========

23

24

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer

25

(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general

26

purpose cryptography library.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-libs/openssl             < 1.0.1g                  >= 1.0.1g 

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been found in OpenSSL:

40

41

* OpenSSL incorrectly handles memory in the TLS heartbeat extension,

42

  leading to information disclosure of 64kb per request, possibly

43

  including private keys ("Heartbleed bug", OpenSSL 1.0.1 only,

44

  CVE-2014-0160).

45

* The Montgomery ladder implementation of OpenSSL improperly handles

46

  swap operations (CVE-2014-0076).

47

48

Impact

49

======

50

51

A remote attacker could exploit these issues to disclose information,

52

including private keys or other sensitive information, or perform

53

side-channel attacks to obtain ECDSA nonces.

54

55

Workaround

56

==========

57

58

Disabling the tls-heartbeat USE flag (enabled by default) provides a

59

workaround for the CVE-2014-0160 issue.

60

61

Resolution

62

==========

63

64

All OpenSSL users should upgrade to the latest version:

65

66

  # emerge --sync

67

  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"

68

69

Note: All services using OpenSSL to provide TLS connections have to be

70

restarted for the update to take effect. Utilities like

71

app-admin/lib_users can aid in identifying programs using OpenSSL.

72

73

As private keys may have been compromised using the Heartbleed attack,

74

it is recommended to regenerate them.

75

76

References

77

==========

78

79

[ 1 ] CVE-2014-0076

80

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0076

81

[ 2 ] CVE-2014-0160

82

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0160

83

[ 3 ] Heartbleed bug website

84

      http://heartbleed.com/

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

 http://security.gentoo.org/glsa/glsa-201404-07.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users' machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

https://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2014 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201404-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: OpenSSL: Information Disclosure
9	Date: April 08, 2014
10	Bugs: #505278, #507074
11	ID: 201404-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple Information Disclosure vulnerabilities in OpenSSL allow remote
19	attackers to obtain sensitive information via various vectors.
20
21	Background
22	==========
23
24	OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
25	(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
26	purpose cryptography library.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-libs/openssl < 1.0.1g >= 1.0.1g
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been found in OpenSSL:
40
41	* OpenSSL incorrectly handles memory in the TLS heartbeat extension,
42	leading to information disclosure of 64kb per request, possibly
43	including private keys ("Heartbleed bug", OpenSSL 1.0.1 only,
44	CVE-2014-0160).
45	* The Montgomery ladder implementation of OpenSSL improperly handles
46	swap operations (CVE-2014-0076).
47
48	Impact
49	======
50
51	A remote attacker could exploit these issues to disclose information,
52	including private keys or other sensitive information, or perform
53	side-channel attacks to obtain ECDSA nonces.
54
55	Workaround
56	==========
57
58	Disabling the tls-heartbeat USE flag (enabled by default) provides a
59	workaround for the CVE-2014-0160 issue.
60
61	Resolution
62	==========
63
64	All OpenSSL users should upgrade to the latest version:
65
66	# emerge --sync
67	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
68
69	Note: All services using OpenSSL to provide TLS connections have to be
70	restarted for the update to take effect. Utilities like
71	app-admin/lib_users can aid in identifying programs using OpenSSL.
72
73	As private keys may have been compromised using the Heartbleed attack,
74	it is recommended to regenerate them.
75
76	References
77	==========
78
79	[ 1 ] CVE-2014-0076
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0076
81	[ 2 ] CVE-2014-0160
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0160
83	[ 3 ] Heartbleed bug website
84	http://heartbleed.com/
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-201404-07.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users' machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	https://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2014 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5