CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

SSLv3 bug on legacy CentOS 4.x systems

https://forums.centos.org/viewtopic.php?f=10&t=48995

Page 1 of 1

SSLv3 bug on legacy CentOS 4.x systems

Posted: 2014/10/14 13:06:20
by _ck_
Some kind of big SSL 3.0 bug coming out in next 24 hours, we will have to watch and see if centos4 is affected because we won't get an automatic update.

[edit/avij: I pre-emptively split this message to its own topic]

Re: SSLv3 bug on legacy CentOS 4.x systems

Posted: 2014/10/14 21:55:13
by avij
From the jumping-the-gun dept.:

Details about this are still scarce, but assuming the problem is with the SSL protocol version 3, I would consider simply disabling SSLv3 support. In practical terms you'd be throwing out everyone who is still stuck with MSIE6. On the website that I manage, less than 0.2% of users are using MSIE6 (and no, it's not a "Linux users" website). Therefore I didn't feel particularly bad when I disabled SSLv3. Googling for yoursoftware "disable sslv3" will surely give you hints for making the config changes. The successor of SSLv3 is TLS. TLS v1.0 has been around since 1999. It's about time SSL gets buried, IMHO.

Re: SSLv3 bug on legacy CentOS 4.x systems

Posted: 2014/10/15 02:18:00
by _ck_
Right but it is important to get the word out. Some software has its own front facing webserver for admin panels, etc.

Here are the details, it is called the POODLE attack, CVE­-2014­-3566 

http://googleonlinesecurity.blogspot.co ... sl-30.html

(PDF) https://www.openssl.org/~bodo/ssl-poodle.pdf

I guess unlike bash, centos4 is not really a worrisome target.

Re: SSLv3 bug on legacy CentOS 4.x systems

Posted: 2014/10/15 09:42:07
by avij
https://access.redhat.com/articles/1232123 suggests disabling SSLv3.

Re: SSLv3 bug on legacy CentOS 4.x systems

Posted: 2014/10/15 15:57:41
by _ck_
Looks like there was another security issue beyond SSLv3 that that does indeed affect the openssl 0.9 in centos4

Otherwise an attacker could exhaust memory and create a dos

https://www.openssl.org/news/secadv_20141015.txt

Session Ticket Memory Leak (CVE-2014-3567)
==========================================
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Re: SSLv3 bug on legacy CentOS 4.x systems

Posted: 2014/10/15 19:12:20
by avij
_ck_ wrote:Looks like there was another security issue beyond SSLv3 that that does indeed affect the openssl 0.9 in centos4
Red Hat's bugzilla entry for this CVE says CentOS 5 is not affected, because "openssl-0.9.8e does not include support for session tickets". I would think C4's OpenSSL doesn't support them either.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited