Some kind of big SSL 3.0 bug coming out in next 24 hours, we will have to watch and see if centos4 is affected because we won't get an automatic update.
[edit/avij: I pre-emptively split this message to its own topic]
SSLv3 bug on legacy CentOS 4.x systems
Re: SSLv3 bug on legacy CentOS 4.x systems
From the jumping-the-gun dept.:
Details about this are still scarce, but assuming the problem is with the SSL protocol version 3, I would consider simply disabling SSLv3 support. In practical terms you'd be throwing out everyone who is still stuck with MSIE6. On the website that I manage, less than 0.2% of users are using MSIE6 (and no, it's not a "Linux users" website). Therefore I didn't feel particularly bad when I disabled SSLv3. Googling for yoursoftware "disable sslv3" will surely give you hints for making the config changes. The successor of SSLv3 is TLS. TLS v1.0 has been around since 1999. It's about time SSL gets buried, IMHO.
Details about this are still scarce, but assuming the problem is with the SSL protocol version 3, I would consider simply disabling SSLv3 support. In practical terms you'd be throwing out everyone who is still stuck with MSIE6. On the website that I manage, less than 0.2% of users are using MSIE6 (and no, it's not a "Linux users" website). Therefore I didn't feel particularly bad when I disabled SSLv3. Googling for yoursoftware "disable sslv3" will surely give you hints for making the config changes. The successor of SSLv3 is TLS. TLS v1.0 has been around since 1999. It's about time SSL gets buried, IMHO.
Re: SSLv3 bug on legacy CentOS 4.x systems
Right but it is important to get the word out. Some software has its own front facing webserver for admin panels, etc.
Here are the details, it is called the POODLE attack, CVE-2014-3566
http://googleonlinesecurity.blogspot.co ... sl-30.html
(PDF) https://www.openssl.org/~bodo/ssl-poodle.pdf
I guess unlike bash, centos4 is not really a worrisome target.
Here are the details, it is called the POODLE attack, CVE-2014-3566
http://googleonlinesecurity.blogspot.co ... sl-30.html
(PDF) https://www.openssl.org/~bodo/ssl-poodle.pdf
I guess unlike bash, centos4 is not really a worrisome target.
Re: SSLv3 bug on legacy CentOS 4.x systems
https://access.redhat.com/articles/1232123 suggests disabling SSLv3.
Re: SSLv3 bug on legacy CentOS 4.x systems
Looks like there was another security issue beyond SSLv3 that that does indeed affect the openssl 0.9 in centos4
Otherwise an attacker could exhaust memory and create a dos
https://www.openssl.org/news/secadv_20141015.txt
Session Ticket Memory Leak (CVE-2014-3567)
==========================================
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service attack.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Otherwise an attacker could exhaust memory and create a dos
https://www.openssl.org/news/secadv_20141015.txt
Session Ticket Memory Leak (CVE-2014-3567)
==========================================
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service attack.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Re: SSLv3 bug on legacy CentOS 4.x systems
Red Hat's bugzilla entry for this CVE says CentOS 5 is not affected, because "openssl-0.9.8e does not include support for session tickets". I would think C4's OpenSSL doesn't support them either._ck_ wrote:Looks like there was another security issue beyond SSLv3 that that does indeed affect the openssl 0.9 in centos4