Poodle TLS1.0 issue in Trusty (and Precise)

Bug #1510163 reported by Bryan Quigley on 2015-10-26
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
High
Unassigned
Precise
High
Marc Deslauriers
Trusty
High
Marc Deslauriers

Bug Description

[Impact]
Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

[Test Case]
launch a new trusty VM
sudo apt-get install cups
Open /etc/cups/cupsd.conf and change just this one section
...
# Only listen for connections from the local machine.
#Listen localhost:631
Listen /var/run/cups/cups.sock

SSLPort 443
SSLOptions None
ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com
...
Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/

[Regression Potential]
This is a simple off by one error, that's fixed in all newer versions of gnutls.

tags: added: precise trusty
information type: Public → Public Security
Changed in gnutls26 (Ubuntu):
importance: Undecided → High
tags: added: poodle
description: updated
description: updated
Bryan Quigley (bryanquigley) wrote :
Bryan Quigley (bryanquigley) wrote :

Tested both with ssllabs should go from F rating to C rating - POODLE TLS issue should be gone, but SSLv3 will still be enabled. That's a separate bug - 1505328.

Bryan Quigley (bryanquigley) wrote :

Unlike the other cups patch, this gnutls bug I believe should go to security pocket.

Marc Deslauriers (mdeslaur) wrote :

Hi Bryan,

Thanks for the debdiffs!

Where did you obtain the patch from Hanno Boeck from?

Bryan Quigley (bryanquigley) wrote :

Hi Marc,

In an private email, he did mention that he planned to blog about it in the future.

Changed in gnutls26 (Ubuntu Precise):
status: New → Confirmed
Changed in gnutls26 (Ubuntu Trusty):
status: New → Confirmed
Changed in gnutls26 (Ubuntu Precise):
importance: Undecided → High
Changed in gnutls26 (Ubuntu Trusty):
importance: Undecided → High
Changed in gnutls26 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu):
status: New → Fix Released
Changed in gnutls26 (Ubuntu Precise):
status: Confirmed → Triaged
Changed in gnutls26 (Ubuntu Trusty):
status: Confirmed → Triaged
Hanno Böck (hanno-hboeck) wrote :

Took me a bit longer, but blogpost is now public and explains the issue in detail including its history and first incomplete fix:
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.23-12ubuntu2.3

---------------
gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Poodle TLS issue
    - debian/patches/fix_tls_poodle.patch: fixes off by one
      issue in padding check.
      Patch created by Hanno Boeck (https://hboeck.de/)
    (LP: #1510163)

 -- Bryan Quigley <email address hidden> Wed, 25 Nov 2015 21:37:33 +0000

Changed in gnutls26 (Ubuntu Trusty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10

---------------
gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low

  * SECURITY UPDATE: Poodle TLS issue
    - debian/patches/fix_tls_poodle.patch: fixes off by one
      issue in padding check.
      Patch created by Hanno Boeck (https://hboeck.de/)
    (LP: #1510163)

 -- Bryan Quigley <email address hidden> Wed, 25 Nov 2015 21:37:58 +0000

Changed in gnutls26 (Ubuntu Precise):
status: Triaged → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Publishing as a security update now, thanks!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers