Poodle TLS1.0 issue in Trusty (and Precise)

Bug #1510163 reported by Bryan Quigley
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Marc Deslauriers
Trusty
Fix Released
High
Marc Deslauriers

Bug Description

[Impact]
Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

[Test Case]
launch a new trusty VM
sudo apt-get install cups
Open /etc/cups/cupsd.conf and change just this one section
...
# Only listen for connections from the local machine.
#Listen localhost:631
Listen /var/run/cups/cups.sock

SSLPort 443
SSLOptions None
ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com
...
Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/

[Regression Potential]
This is a simple off by one error, that's fixed in all newer versions of gnutls.

tags: added: precise trusty
information type: Public → Public Security
Mathew Hodson (mhodson)
Changed in gnutls26 (Ubuntu):
importance: Undecided → High
tags: added: poodle
description: updated
description: updated
Revision history for this message
Bryan Quigley (bryanquigley) wrote :
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Tested both with ssllabs should go from F rating to C rating - POODLE TLS issue should be gone, but SSLv3 will still be enabled. That's a separate bug - 1505328.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Unlike the other cups patch, this gnutls bug I believe should go to security pocket.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi Bryan,

Thanks for the debdiffs!

Where did you obtain the patch from Hanno Boeck from?

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Hi Marc,

In an private email, he did mention that he planned to blog about it in the future.

Changed in gnutls26 (Ubuntu Precise):
status: New → Confirmed
Changed in gnutls26 (Ubuntu Trusty):
status: New → Confirmed
Changed in gnutls26 (Ubuntu Precise):
importance: Undecided → High
Changed in gnutls26 (Ubuntu Trusty):
importance: Undecided → High
Changed in gnutls26 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu):
status: New → Fix Released
Mathew Hodson (mhodson)
Changed in gnutls26 (Ubuntu Precise):
status: Confirmed → Triaged
Changed in gnutls26 (Ubuntu Trusty):
status: Confirmed → Triaged
Revision history for this message
Hanno Böck (hanno-hboeck) wrote :

Took me a bit longer, but blogpost is now public and explains the issue in detail including its history and first incomplete fix:
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.23-12ubuntu2.3

---------------
gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Poodle TLS issue
    - debian/patches/fix_tls_poodle.patch: fixes off by one
      issue in padding check.
      Patch created by Hanno Boeck (https://hboeck.de/)
    (LP: #1510163)

 -- Bryan Quigley <email address hidden> Wed, 25 Nov 2015 21:37:33 +0000

Changed in gnutls26 (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10

---------------
gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low

  * SECURITY UPDATE: Poodle TLS issue
    - debian/patches/fix_tls_poodle.patch: fixes off by one
      issue in padding check.
      Patch created by Hanno Boeck (https://hboeck.de/)
    (LP: #1510163)

 -- Bryan Quigley <email address hidden> Wed, 25 Nov 2015 21:37:58 +0000

Changed in gnutls26 (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Publishing as a security update now, thanks!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.