subject:"Fwd\: Bug#839226\: \[PATCH\] cups \: SSL is vulnerable to POODLE \[Jessie\]"

Re: Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

2016-10-13 Thread Didier 'OdyX' Raboud

Le jeudi, 13 octobre 2016, 10.03:44 h CEST Emilio Pozuelo Monfort a écrit :
> You probably wanted to send this to team@security or debian-security@ ?
> 
> If you want this to go through stable (pu) rather than stable-security,
> please file a pu bug against release.debian.org.

Right; thanks. I'll ask the security team first, and go through pu afterwards.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Re: Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

2016-10-13 Thread Emilio Pozuelo Monfort

On 10/10/16 11:25, Didier Raboud wrote:
> Re-sending differently, as somehow my MUA messed this sending in some weird 
> way.

Hi,

You probably wanted to send this to team@security or debian-security@ ?

If you want this to go through stable (pu) rather than stable-security, please
file a pu bug against release.debian.org.

Cheers,
Emilio

>  Original Message 
> Subject: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]
> Date: 2016-10-10 10:13
> From: Didier 'OdyX' Raboud 
> To: 839...@bugs.debian.org, debian-release@lists.debian.org
> Cc: Frederic Bonnard 
> 
> Hi again,
> (dropping debian-lts from the loop, as this'd be for stable)
> 
> Le samedi, 1 octobre 2016, 06.34:28 h CEST Moritz Mühlenhoff a écrit :
>> > Have we removed protocols' support in {old,}stable  before?.
>>
>> We have done that on a case-by-case basis via point updates in the past,
>> seems also fine here.
> 
> Here come:
> - patch;
> str4476-disable-sslv3-and-rc4-by-default.patch
> - git commit series;
> 0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
> 0002-Refresh-patches.patch
> 0003-cups-1.7.5-11-deb8u2-Debian-release.patch
> - and debdiff
> cups_1.7.5-11+deb8u2.debdiff
> 
> Can I upload to jessie-security ?
>

Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

2016-10-10 Thread Didier Raboud

Re-sending differently, as somehow my MUA messed this sending in some 
weird way.



 Original Message 
Subject: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE 
[Jessie]

Date: 2016-10-10 10:13
From: Didier 'OdyX' Raboud 
To: 839...@bugs.debian.org, debian-release@lists.debian.org
Cc: Frederic Bonnard 

Hi again,
(dropping debian-lts from the loop, as this'd be for stable)

Le samedi, 1 octobre 2016, 06.34:28 h CEST Moritz Mühlenhoff a écrit :

> Have we removed protocols' support in {old,}stable  before?.

We have done that on a case-by-case basis via point updates in the 
past,

seems also fine here.


Here come:
- patch;
str4476-disable-sslv3-and-rc4-by-default.patch
- git commit series;
0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
0002-Refresh-patches.patch
0003-cups-1.7.5-11-deb8u2-Debian-release.patch
- and debdiff
cups_1.7.5-11+deb8u2.debdiff

Can I upload to jessie-security ?

--
Cheers,
OdyXDescription: Disable SSLv3 and RC4; implement SSLOptions.
  This disables SSLv3 in cups. It also provides 2 configuration
  options to reenable by specifying SSLOptions in the cupsd.conf
  file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
  the RC4 cypers.
 .
---
Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
Bug: https://www.cups.org/str.php?L4476
Bug-Ubuntu: https://launchpad.net/bugs/1505328
Bug-Debian: https://bugs.debian.org/839226

--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -147,6 +147,10 @@
 #define _HTTP_RESOLVE_FQDN	2	/* Resolve to a FQDN */
 #define _HTTP_RESOLVE_FAXOUT	4	/* Resolve FaxOut service? */
 
+/* care - these should be the same values as the CUPSD_SSL_* equivalents */
+#define _HTTP_TLS_ALLOW_RC4	2
+#define _HTTP_TLS_ALLOW_SSL3	4
+
 
 /*
  * Types and functions for SSL support...
@@ -425,6 +429,8 @@
 extern int		_httpUpdate(http_t *http, http_status_t *status);
 extern int		_httpWait(http_t *http, int msec, int usessl);
 
+extern void		_httpTLSSetOptions(int options);
+
 
 /*
  * C++ magic...
--- a/cups/http.c
+++ b/cups/http.c
@@ -87,6 +87,8 @@
  * Local globals...
  */
 
+static int		tls_options = 0; /* Options for TLS connections */
+
 static const char * const http_fields[] =
 			{
 			  "Accept-Language",
@@ -5094,6 +5096,10 @@
   context = SSL_CTX_new(SSLv23_client_method());
 
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+  if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
+SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
+SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
 
   bio = BIO_new(_httpBIOMethods());
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
@@ -5151,7 +5157,16 @@
   gnutls_certificate_allocate_credentials(credentials);
 
   gnutls_init(&http->tls, GNUTLS_CLIENT);
-  gnutls_set_default_priority(http->tls);
+  if (!tls_options)
+gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
+	   (tls_options & _HTTP_TLS_ALLOW_RC4))
+gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
+  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
+
   gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
  strlen(hostname));
   gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
@@ -5904,6 +5919,16 @@
 }
 #endif /* HAVE_SSL */
 
+/*
+ * '_httpTLSSetOptions()' - Set TLS/SSL options.
+ */
+
+void
+_httpTLSSetOptions(int options)
+{
+  tls_options = options;
+}
+
 
 /*
  * End of "$Id: http.c 11761 2014-03-28 13:04:33Z msweet $".
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -52,7 +52,8 @@
 #endif /* HAVE_GSSAPI */
   const char *cups_anyroot,
   const char *cups_expiredroot,
-  const char *cups_expiredcerts);
+  const char *cups_expiredcerts,
+  int ssl_options);
 
 
 /*
@@ -237,6 +238,9 @@
   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
 
 
+  if (cg->encryption == (http_encryption_t)-1)
+_cupsSetDefaults();
+
   cg->encryption = e;
 
   if (cg->http)
@@ -861,6 +865,29 @@
   if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
   !cg->user[0] || !cg->ipp_port)
   {
+   /*
+* Look for CUPS_SERVERROOT/client.conf...
+*/
+
+snprintf(filename, sizeof(filename), "%s/client.conf",
+	 cg->cups_serverroot);
+fp = cupsFileOpen(filename, "r");
+   /*
+* Read the configuration file and apply any environment variables; both
+* functions handle NULL cups_file_t pointers...
+*/
+
+cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+#ifdef HAVE_GSSAPI
+		  cups_gssservicename,
+#endif /* HAVE_GSSAPI */
+			  cups_anyroot, cups_expiredroot,
+

Re: Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

Re: Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

3 matches

Site Navigation

Mail list logo

Footer information