Activity log for bug #1510163

Date Who What changed Old value New value Message
2015-10-26 16:02:33 Bryan Quigley bug added bug
2015-10-26 16:04:30 Bryan Quigley tags precise trusty
2015-10-29 19:36:44 Bryan Quigley information type Public Public Security
2015-11-09 04:05:23 Mathew Hodson cve linked 2014-3566
2015-11-09 04:07:24 Mathew Hodson gnutls26 (Ubuntu): importance Undecided High
2015-11-09 04:08:05 Mathew Hodson tags precise trusty poodle precise trusty
2015-11-25 16:49:48 Bryan Quigley description This issue is present in Trusty and Precise with the stock main gnutls - https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls If I switch cups to use gnutls28-dev on 14.04 the issue appears to go away according to ssllabs. My test case is cups with SSL on. [1] http://pastebin.ubuntu.com/12970857/ This issue is present in Trusty and Precise with the stock main gnutls - https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls If I switch cups to use gnutls28-dev on 14.04 the issue appears to go away according to ssllabs. My test case is cups with SSL on. Reproduction Steps: launch a new trusty VM sudo apt-get install cups Open /etc/cups/cupsd.conf and change just this one section ... # Only listen for connections from the local machine. #Listen localhost:631 Listen /var/run/cups/cups.sock SSLPort 443 SSLOptions None ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com ... Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ [1] http://pastebin.ubuntu.com/12970857/
2015-11-25 20:31:06 Bryan Quigley description This issue is present in Trusty and Precise with the stock main gnutls - https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls If I switch cups to use gnutls28-dev on 14.04 the issue appears to go away according to ssllabs. My test case is cups with SSL on. Reproduction Steps: launch a new trusty VM sudo apt-get install cups Open /etc/cups/cupsd.conf and change just this one section ... # Only listen for connections from the local machine. #Listen localhost:631 Listen /var/run/cups/cups.sock SSLPort 443 SSLOptions None ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com ... Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ [1] http://pastebin.ubuntu.com/12970857/ [Impact] Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls [Test Case] launch a new trusty VM sudo apt-get install cups Open /etc/cups/cupsd.conf and change just this one section ... # Only listen for connections from the local machine. #Listen localhost:631 Listen /var/run/cups/cups.sock SSLPort 443 SSLOptions None ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com ... Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/ [Regression Potential] This is a simple off by one error, that's fixed in all newer versions of gnutls.
2015-11-25 21:51:49 Bryan Quigley attachment added precise debdiff https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525422/+files/gnutls26_2.12.14-5ubuntu3.10.debdiff
2015-11-25 21:54:19 Bryan Quigley attachment added trusty debdiff https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163/+attachment/4525426/+files/gnutls26_2.12.23-12ubuntu2.3.debdiff
2015-11-25 21:54:57 Bryan Quigley nominated for series Ubuntu Precise
2015-11-25 21:54:57 Bryan Quigley nominated for series Ubuntu Trusty
2015-11-25 21:55:16 Bryan Quigley bug added subscriber Ubuntu Security Sponsors Team
2015-11-26 12:03:34 Marc Deslauriers bug task added gnutls26 (Ubuntu Precise)
2015-11-26 12:03:40 Marc Deslauriers bug task added gnutls26 (Ubuntu Trusty)
2015-11-26 16:51:35 Marc Deslauriers gnutls26 (Ubuntu Precise): status New Confirmed
2015-11-26 16:51:38 Marc Deslauriers gnutls26 (Ubuntu Trusty): status New Confirmed
2015-11-26 16:51:42 Marc Deslauriers gnutls26 (Ubuntu Precise): importance Undecided High
2015-11-26 16:51:44 Marc Deslauriers gnutls26 (Ubuntu Trusty): importance Undecided High
2015-11-26 16:51:47 Marc Deslauriers gnutls26 (Ubuntu Precise): assignee Marc Deslauriers (mdeslaur)
2015-11-26 16:51:50 Marc Deslauriers gnutls26 (Ubuntu Trusty): assignee Marc Deslauriers (mdeslaur)
2015-11-26 16:51:55 Marc Deslauriers gnutls26 (Ubuntu): status New Fix Released
2015-11-27 05:50:40 Mathew Hodson gnutls26 (Ubuntu Precise): status Confirmed Triaged
2015-11-27 05:50:42 Mathew Hodson gnutls26 (Ubuntu Trusty): status Confirmed Triaged
2015-11-30 19:55:09 Launchpad Janitor gnutls26 (Ubuntu Trusty): status Triaged Fix Released
2015-11-30 20:05:14 Launchpad Janitor gnutls26 (Ubuntu Precise): status Triaged Fix Released
2015-12-01 00:08:05 Mathew Hodson cve linked 2015-8313
2015-12-01 00:08:21 Mathew Hodson cve unlinked 2014-3566
2015-12-01 02:18:36 paz bug added subscriber paz
2016-02-22 18:40:35 Launchpad Janitor branch linked lp:ubuntu/precise-security/gnutls26
2016-02-22 18:40:54 Launchpad Janitor branch linked lp:ubuntu/trusty-security/gnutls26