Ubuntu
gnutls26 package

Poodle TLS1.0 issue in Trusty (and Precise)

Bug #1510163 reported by Bryan Quigley on 2015-10-26

264

This bug affects 2 people

	Status	Importance	Assigned to
gnutls26 (Ubuntu)	Fix Released	High	Unassigned
Precise	Fix Released	High	Marc Deslauriers
Trusty	Fix Released	High	Marc Deslauriers

Bug Description

[Impact]
Gnutls is affected by the Poodle TLS exploit https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

[Test Case]
launch a new trusty VM
sudo apt-get install cups
Open /etc/cups/cupsd.conf and change just this one section
...
# Only listen for connections from the local machine.
#Listen localhost:631
Listen /var/run/cups/cups.sock

SSLPort 443
SSLOptions None
ServerAlias 127.35.213.162.lcy-02.canonistack.canonical.com
...
Restart cups and then run the ssllabs test - https://www.ssllabs.com/ssltest/

[Regression Potential]
This is a simple off by one error, that's fixed in all newer versions of gnutls.

See original description

Tags:

Related branches

lp:ubuntu/precise-security/gnutls26

lp:ubuntu/trusty-security/gnutls26

CVE References

2015-8313

Bryan Quigley (bryanquigley) on 2015-10-26

tags:

added: precise trusty

Bryan Quigley (bryanquigley) on 2015-10-29

information type:

Public → Public Security

Mathew Hodson (mhodson) on 2015-11-09

Changed in gnutls26 (Ubuntu):
importance:	Undecided → High
tags:	added: poodle

Bryan Quigley (bryanquigley) on 2015-11-25

description:

updated

Bryan Quigley (bryanquigley) on 2015-11-25

description:

updated

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2015-11-25:

precise debdiff Edit (2.1 KiB, text/plain)

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2015-11-25:

trusty debdiff Edit (2.1 KiB, text/plain)

Tested both with ssllabs should go from F rating to C rating - POODLE TLS issue should be gone, but SSLv3 will still be enabled. That's a separate bug - 1505328.

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2015-11-25:

Unlike the other cups patch, this gnutls bug I believe should go to security pocket.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-11-26:

Hi Bryan,

Thanks for the debdiffs!

Where did you obtain the patch from Hanno Boeck from?

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2015-11-26:

Hi Marc,

In an private email, he did mention that he planned to blog about it in the future.

Marc Deslauriers (mdeslaur) on 2015-11-26

Changed in gnutls26 (Ubuntu Precise):
status:	New → Confirmed
Changed in gnutls26 (Ubuntu Trusty):
status:	New → Confirmed
Changed in gnutls26 (Ubuntu Precise):
importance:	Undecided → High
Changed in gnutls26 (Ubuntu Trusty):
importance:	Undecided → High
Changed in gnutls26 (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu):
status:	New → Fix Released

Mathew Hodson (mhodson) on 2015-11-27

Changed in gnutls26 (Ubuntu Precise):
status:	Confirmed → Triaged
Changed in gnutls26 (Ubuntu Trusty):
status:	Confirmed → Triaged

Revision history for this message

Hanno Böck (hanno-hboeck) wrote on 2015-11-30:

Took me a bit longer, but blogpost is now public and explains the issue in detail including its history and first incomplete fix:
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-30:

This bug was fixed in the package gnutls26 - 2.12.23-12ubuntu2.3

---------------
gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Poodle TLS issue
    - debian/patches/fix_tls_poodle.patch: fixes off by one
      issue in padding check.
      Patch created by Hanno Boeck (https://hboeck.de/)
    (LP: #1510163)

-- Bryan Quigley <email address hidden> Wed, 25 Nov 2015 21:37:33 +0000

Changed in gnutls26 (Ubuntu Trusty):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-30:

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.10

---------------
gnutls26 (2.12.14-5ubuntu3.10) precise-security; urgency=low

-- Bryan Quigley <email address hidden> Wed, 25 Nov 2015 21:37:58 +0000

Changed in gnutls26 (Ubuntu Precise):
status:	Triaged → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-11-30:

Publishing as a security update now, thanks!

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntugnutls26 package

Poodle TLS1.0 issue in Trusty (and Precise)

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
gnutls26 package