[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Hanno Böck]

Took me a bit longer, but blogpost is now public and explains the issue in 
detail including its history and first incomplete fix:
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Marc Deslauriers]

Publishing as a security update now, thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Launchpad Bug Tracker]

This bug was fixed in the package gnutls26 - 2.12.23-12ubuntu2.3

---
gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Poodle TLS issue
- debian/patches/fix_tls_poodle.patch: fixes off by one
  issue in padding check.
  Patch created by Hanno Boeck (https://hboeck.de/)
(LP: #1510163)

 -- Bryan Quigley   Wed, 25 Nov 2015
21:37:33 +

** Changed in: gnutls26 (Ubuntu Trusty)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Launchpad Bug Tracker]

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10

---
gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low

  * SECURITY UPDATE: Poodle TLS issue
- debian/patches/fix_tls_poodle.patch: fixes off by one
  issue in padding check.
  Patch created by Hanno Boeck (https://hboeck.de/)
(LP: #1510163)

 -- Bryan Quigley   Wed, 25 Nov 2015
21:37:58 +

** Changed in: gnutls26 (Ubuntu Precise)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Mathew Hodson]

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8313

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Mathew Hodson]

** Changed in: gnutls26 (Ubuntu Precise)
   Status: Confirmed => Triaged

** Changed in: gnutls26 (Ubuntu Trusty)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Marc Deslauriers]

Hi Bryan,

Thanks for the debdiffs!

Where did you obtain the patch from Hanno Boeck from?

** Also affects: gnutls26 (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: gnutls26 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

Hi Marc,

In an private email, he did mention that he planned to blog about it in
the future.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Marc Deslauriers]

** Changed in: gnutls26 (Ubuntu Precise)
   Status: New => Confirmed

** Changed in: gnutls26 (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: gnutls26 (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: gnutls26 (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: gnutls26 (Ubuntu Precise)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls26 (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls26 (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

** Description changed:

  This issue is present in Trusty and Precise with the stock main gnutls -
  https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-
  tls
  
  If I switch cups to use gnutls28-dev on 14.04 the issue appears to go
  away according to ssllabs.   My test case is cups with SSL on.
  
+ Reproduction Steps:
+ launch a new trusty VM 
+ sudo apt-get install cups 
+ Open /etc/cups/cupsd.conf and change just this one section 
+ ... 
+ # Only listen for connections from the local machine. 
+ #Listen localhost:631 
+ Listen /var/run/cups/cups.sock 
+ 
+ SSLPort 443 
+ SSLOptions None 
+ ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com 
+ ... 
+ Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ 
+ 
+ 
  [1] http://pastebin.ubuntu.com/12970857/

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

** Patch added: "precise debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525422/+files/gnutls26_2.12.14-5ubuntu3.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

Tested both with ssllabs should go from F rating to C rating - POODLE
TLS issue should be gone, but SSLv3 will still be enabled.  That's a
separate bug - 1505328.

** Patch added: "trusty debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525426/+files/gnutls26_2.12.23-12ubuntu2.3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

Unlike the other cups patch, this gnutls bug I believe should go to
security pocket.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

** Description changed:

- This issue is present in Trusty and Precise with the stock main gnutls -
- https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-
- tls
- 
- If I switch cups to use gnutls28-dev on 14.04 the issue appears to go
- away according to ssllabs.   My test case is cups with SSL on.
- 
- Reproduction Steps:
- launch a new trusty VM 
- sudo apt-get install cups 
- Open /etc/cups/cupsd.conf and change just this one section 
- ... 
- # Only listen for connections from the local machine. 
- #Listen localhost:631 
- Listen /var/run/cups/cups.sock 
- 
- SSLPort 443 
- SSLOptions None 
- ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com 
- ... 
- Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ 
+ [Impact] 
+ Gnutls is affected by the Poodle TLS exploit 
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
  
  
- [1] http://pastebin.ubuntu.com/12970857/
+ [Test Case]
+ launch a new trusty VM
+ sudo apt-get install cups
+ Open /etc/cups/cupsd.conf and change just this one section
+ ...
+ # Only listen for connections from the local machine.
+ #Listen localhost:631
+ Listen /var/run/cups/cups.sock
+ 
+ SSLPort 443
+ SSLOptions None
+ ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com
+ ...
+ Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/
+ 
+ [Regression Potential] 
+ This is a simple off by one error, that's fixed in all newer versions of 
gnutls.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Mathew Hodson]

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3566

** Changed in: gnutls26 (Ubuntu)
   Importance: Undecided => High

** Tags added: poodle

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1510163] Re: Poodle TLS1.0 issue in Trusty (and Precise)

[Bryan Quigley]

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510163

Title:
  Poodle TLS1.0 issue in Trusty (and Precise)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs