[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
Took me a bit longer, but blogpost is now public and explains the issue in detail including its history and first incomplete fix: https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
Publishing as a security update now, thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
This bug was fixed in the package gnutls26 - 2.12.23-12ubuntu2.3 --- gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium * SECURITY UPDATE: Poodle TLS issue - debian/patches/fix_tls_poodle.patch: fixes off by one issue in padding check. Patch created by Hanno Boeck (https://hboeck.de/) (LP: #1510163) -- Bryan QuigleyWed, 25 Nov 2015 21:37:33 + ** Changed in: gnutls26 (Ubuntu Trusty) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10 --- gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low * SECURITY UPDATE: Poodle TLS issue - debian/patches/fix_tls_poodle.patch: fixes off by one issue in padding check. Patch created by Hanno Boeck (https://hboeck.de/) (LP: #1510163) -- Bryan QuigleyWed, 25 Nov 2015 21:37:58 + ** Changed in: gnutls26 (Ubuntu Precise) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-8313 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3566 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** Changed in: gnutls26 (Ubuntu Precise) Status: Confirmed => Triaged ** Changed in: gnutls26 (Ubuntu Trusty) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
Hi Bryan, Thanks for the debdiffs! Where did you obtain the patch from Hanno Boeck from? ** Also affects: gnutls26 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: gnutls26 (Ubuntu Trusty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
Hi Marc, In an private email, he did mention that he planned to blog about it in the future. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** Changed in: gnutls26 (Ubuntu Precise) Status: New => Confirmed ** Changed in: gnutls26 (Ubuntu Trusty) Status: New => Confirmed ** Changed in: gnutls26 (Ubuntu Precise) Importance: Undecided => High ** Changed in: gnutls26 (Ubuntu Trusty) Importance: Undecided => High ** Changed in: gnutls26 (Ubuntu Precise) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls26 (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls26 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** Description changed: This issue is present in Trusty and Precise with the stock main gnutls - https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites- tls If I switch cups to use gnutls28-dev on 14.04 the issue appears to go away according to ssllabs. My test case is cups with SSL on. + Reproduction Steps: + launch a new trusty VM + sudo apt-get install cups + Open /etc/cups/cupsd.conf and change just this one section + ... + # Only listen for connections from the local machine. + #Listen localhost:631 + Listen /var/run/cups/cups.sock + + SSLPort 443 + SSLOptions None + ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com + ... + Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ + + [1] http://pastebin.ubuntu.com/12970857/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** Patch added: "precise debdiff" https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525422/+files/gnutls26_2.12.14-5ubuntu3.10.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
Tested both with ssllabs should go from F rating to C rating - POODLE TLS issue should be gone, but SSLv3 will still be enabled. That's a separate bug - 1505328. ** Patch added: "trusty debdiff" https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525426/+files/gnutls26_2.12.23-12ubuntu2.3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
Unlike the other cups patch, this gnutls bug I believe should go to security pocket. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** Description changed: - This issue is present in Trusty and Precise with the stock main gnutls - - https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites- - tls - - If I switch cups to use gnutls28-dev on 14.04 the issue appears to go - away according to ssllabs. My test case is cups with SSL on. - - Reproduction Steps: - launch a new trusty VM - sudo apt-get install cups - Open /etc/cups/cupsd.conf and change just this one section - ... - # Only listen for connections from the local machine. - #Listen localhost:631 - Listen /var/run/cups/cups.sock - - SSLPort 443 - SSLOptions None - ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com - ... - Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ + [Impact] + Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls - [1] http://pastebin.ubuntu.com/12970857/ + [Test Case] + launch a new trusty VM + sudo apt-get install cups + Open /etc/cups/cupsd.conf and change just this one section + ... + # Only listen for connections from the local machine. + #Listen localhost:631 + Listen /var/run/cups/cups.sock + + SSLPort 443 + SSLOptions None + ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com + ... + Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ + + [Regression Potential] + This is a simple off by one error, that's fixed in all newer versions of gnutls. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3566 ** Changed in: gnutls26 (Ubuntu) Importance: Undecided => High ** Tags added: poodle -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510163 Title: Poodle TLS1.0 issue in Trusty (and Precise) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs