Bug 14404

Summary: ruby-httpclient SSL security hardening in 2.4.0
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, ottoleipala1, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/618318/
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK
Source RPM: ruby-httpclient-2.3.4.1-6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-10-28 20:31:55 CET 
Fedora has issue an advisory on October 17:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141493.html

I don't know whether or not this should be updated in Mageia 3 or Mageia 4, but we should at least update it in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 Pascal Terjan 2014-11-23 11:22:18 CET 
Yes it seems worth an update, I'll try to work on it
Comment 2 Pascal Terjan 2014-11-23 11:32:40 CET 
Test of no longer hardcoding SSLv3:

[pterjan@chopin-cauldron-64 ruby-httpclient]$ httpclient get https://www.google.co.jp/?q=ruby 2>&1 | grep 'Protocol version'
Protocol version: SSLv3

[pterjan@chopin-cauldron-64 ruby-httpclient]$ httpclient get https://www.google.co.jp/?q=ruby 2>&1 | grep 'Protocol version'
Protocol version: TLSv1.2
Comment 3 Pascal Terjan 2014-11-23 11:48:37 CET 
Uploaded to 3 and 4 updates_testing

Before:

$ httpclient get https://mageia.org/ 2>/dev/null | grep title
    "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href=\"https://www.mageia.org/\">here</a>.</p>\n<hr>\n<address>Apache/2.2.25 (Mageia/PREFORK-1.mga2) Server at mageia.org Port 443</address>\n</body></html>\n",

$ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version'
Protocol version: SSLv3

After:

$ httpclient get https://mageia.org/ 2>/dev/null | grep title
    "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href=\"https://www.mageia.org/\">here</a>.</p>\n<hr>\n<address>Apache/2.2.25 (Mageia/PREFORK-1.mga2) Server at mageia.org Port 443</address>\n</body></html>\n",

$ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version'
Protocol version: TLSv1
Comment 4 Pascal Terjan 2014-11-23 12:08:43 CET 
Committed advisory:

type: security
subject: Updated ruby-httpclient package enables SSL negotiation
CVE:
 - CVE-2014-3566
src:
  3:
   core:
     - ruby-httpclient-2.4.0-1.mga3
  4:
   core:
     - ruby-httpclient-2.4.0-1.mga4
description: |
  This new version enables SSL negotiation instead of hardcoding SSLv3.

references:
 - https://bugs.mageia.org/show_bug.cgi?id=14404

Assignee: pterjan => qa-bugs

Comment 5 David Walser 2014-11-23 16:26:46 CET 
Thanks.  I don't know that listing CVE-2014-3566 in the CVE section of the advisory is really appropriate, since this technically doesn't fix that CVE (which is technically unfixable), it just mitigates it.  I don't think any distro has handled that technicality consistently though :o(

To QA team: see verification procedure in Comment 3.

Version: Cauldron => 4
Whiteboard: (none) => MGA3TOO has_procedure

claire robinson 2014-11-23 17:19:55 CET

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory

Comment 6 olivier charles 2014-11-23 21:46:19 CET 
Testing on Mageia4-64 real hardware

following procedure in Comment 3.

With current package :
ruby-httpclient-2.3.4.1-4.mga4.noarch
$ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version'
Protocol version: SSLv3

With update testing package :
ruby-httpclient-2.4.0-1.mga4.noarch
$ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version'
Protocol version: TLSv1

OK

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure advisory MGA4-64-OK

Comment 7 olivier charles 2014-11-24 21:14:39 CET 
Testing on Mageia3-64 real hardware
Followed same procedure

but with current package and update testing package, there was a blank after Protocole version :

($ httpclient get https://mageia.org/ 2>&1 | grep 'Protocol version'
Protocol version: )

Couldn't confirm the bug is actually fixed in Mageia3
Comment 8 Otto Leipälä 2014-11-26 14:03:02 CET 
Testing finished i validate this.
Sysadmins push this to updates.

Keywords: (none) => validated_update
CC: (none) => ozkyster, sysadmin-bugs
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK

Comment 9 David Walser 2014-11-26 14:14:56 CET 
Testing Mageia 3 i586.  I have the same results as Olivier.  The protocol version is blank, but this is true before and after the update, so not a regression.  Otherwise, it still works fine.  We know the issue is fixed in 2.4.0, so this is sufficient.
Comment 10 Mageia Robot 2014-11-26 18:30:00 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0489.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED