[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Debian) |
Fix Released
|
Unknown
|
|||
nginx (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Utopic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
A security vulnerability was found in the nginx package. All versions in Lucid, Precise, Trusty, and Utopic are affected.
------
This is the email that went out in the nginx security advisories list regarding this vulnerability:
Hello!
A problem with SSL session cache in nginx was identified by Antoine
Delignat-Lavaud. It was possible to reuse cached SSL sessions in
unrelated contexts, allowing virtual host confusion attacks in some
configurations by an attacker in a privileged network position
(CVE-2014-3616).
The problem affects nginx 0.5.6 - 1.7.4 if the same shared
ssl_session_cache and/or ssl_session_
server{} blocks.
The problem is fixed in nginx 1.7.5, 1.6.2.
Further details can be found in the paper by Antoine Delignat-Lavaud
et al., available at http://
------
This is CVE-2014-3616.
------
This has been fixed upstream in nginx. This has also been fixed in Debian.
------
The Debian bug for this is: https:/
CVE References
description: | updated |
summary: |
- [CVE-2014-3616] "reuse cached SSL sessions in unrelated contexts" + [CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated + contexts" |
Changed in nginx (Ubuntu): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Lucid): | |
status: | New → Won't Fix |
Changed in nginx (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in nginx (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in nginx (Debian): | |
status: | Unknown → Fix Released |
Changed in nginx (Ubuntu Utopic): | |
status: | Confirmed → Fix Released |
This bug was fixed in the package nginx - 1.4.6-1ubuntu3.1
---------------
nginx (1.4.6-1ubuntu3.1) trusty-security; urgency=medium
* SECURITY UPDATE: incorrect cached SSL session reuse (LP: #1370478) patches/ CVE-2014- 3616.patch: include hash of certificate in ngx_event_ openssl. c.
- debian/
session id context in src/event/
- CVE-2014-3616
-- Marc Deslauriers <email address hidden> Wed, 17 Sep 2014 08:56:46 -0400