OpenSSL CVE-2015-1793 - Alternative chains certificate forgery

[ewindisch]

Affected official images need updates:

Alternative chains certificate forgery (CVE-2015-1793)
======================================================

Severity: High

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.

Confirmed affected:

• Alpine Linux - alpine:3.1 bug: OpenSSL CVE-2015-1793 - Alternative chains certificate forgery gliderlabs/docker-alpine#50
• buildpack-debs: sid-, wily- bug: OpenSSL Security Update: CVE-2015-1793 - Alternative chains certificate forgery buildpack-deps#31

Not affected:

• Ubuntu (Note that 15.10 | wily was affected upstream but our image does NOT contain the vulnerable version)
• RHEL
• CentOS
• Alpine Linux -- all other versions
• library/debian - openssl is not installed

[ewindisch]

Does not affect Red Hat, CentOS or Ubuntu (released versions). Vulnerable versions of OpenSSL have appeared only since June 2015, so we can rule out any images generated earlier.

[ewindisch]

ping @tianon @yosifkit

[tianon]

• alpine: http://bugs.alpinelinux.org/projects/alpine/search?q=CVE-2015-1793
• busybox: ???
• crux: ???
• debian: https://security-tracker.debian.org/tracker/CVE-2015-1793
• fedora, centos: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1793
• mageia https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2015-1793
• opensuse: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1793
• oraclelinux http://linux.oracle.com/cve/CVE-2015-1793.html
• ubuntu: http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1793.html

[tianon]

According to https://bugzilla.redhat.com/show_bug.cgi?id=1238619#c12, F21 and F22 are confirmed affected.

[tianon]

opensuse is confirmed not affected (https://bugzilla.novell.com/show_bug.cgi?id=936746#c14).

[tianon]

That Oracle link is definitely bad, and I can't find a good replacement source -- @Djelibeybi got a better source? 😄

[tianon]

Ubuntu fix is released, but Debian sid/stretch don't have the fix yet.

[tianon]

@juanluisbaptiste if I'm reading https://bugs.mageia.org/show_bug.cgi?id=16333 correctly, a fix for Mageia is released? How soon does that propagate to where it would be pulled in by a rebuild of the base image tarball?

[juanluisbaptiste]

@tianon After the updated package is pushed to our build system it should take a couple hours at most to mirrors to sync. According to the bug report the fix hasn't been pushed yet but QA is on it right now. I think it will be available later today and I'll update the images.

[tianon]

@juanluisbaptiste 👍 ❤️

[Djelibeybi]

@tianon no Oracle link because we're not affected, therefore we haven't published a CVE note for resolution.

[tianon]

@Djelibeybi ok, thanks for confirming! 👍

For future reference though (and to let us avoid poking you for future issues that may not even affect Oracle Linux), is there a bug tracker or security tracker we can look up that status in?

[Djelibeybi]

@tianon that's a work-in-progress. :) I'm trying to get a negative-CVE-confirmation system, i.e. to list all CVEs and to state we're unaffected, but I'm still chugging along with that. Actual security trackers are heavily controlled by Oracle Security and even I can't see them, given that the majority of security bugs are related to our non-Open Source code.

[tianon]

@Djelibeybi awwww ok, that's fair enough I suppose 👍

[tianon]

ping @lsm5; you're going to update F21 and F22 once the updates are properly available, right?

[tianon]

The fix for this is finally in sid, but IMO we might as well wait to regenerate debian (and thus the majority of the library) until it migrates to stretch since it'll only be two days (https://release.debian.org/migration/testing.pl?package=openssl) and we don't have a lot of end-user images based on either sid or stretch.

[yosifkit]

#883 and #884 have fixes for node and iojs, respectively.

[lsm5]

@tianon yup, will check with rel-eng and get back with updates

[juanluisbaptiste]

@tianon update for mageia pushed, working on new image right now.

[juanluisbaptiste]

@tianon done: #885

[andyshinn]

This can be closed as of #1050.

[tianon]

🤘 thanks @andyshinn