Bug 15891

Summary: stunnel new security fix in 5.14 (CVE-2015-3644)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dan, davidwhodgins, guillomovitch, mageia, mageia, pterjan, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: stunnel-5.03-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-08 20:34:57 CEST 
The stunnel changelog:
https://www.stunnel.org/sdf_ChangeLog.html

Shows some security fixes since 5.03.

Version 5.06, 2014.10.15, urgency: HIGH:
    Security bugfixes
        The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2".
        The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3".
        Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version.

Version 5.14, 2015.03.25, urgency: HIGH:
    Security bugfixes
        The "redirect" option now also redirects clients on SSL session reuse. In stunnel versions 5.00 to 5.12 reused sessions were instead always connected hosts specified with the "connect" option regardless of their certificate verification result. This vulnerability was reported by Johan Olofsson.

The changelog also shows openssl updates, but that shouldn't matter for us since it's using the system openssl library.

I did attempt to have SSLv3 disabled in the default config in the commit I just made, but the upstream change in 5.06 is a better solution.  I'm not sure how impactful/important the sslVersion change in 5.06 is.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-08 20:35:25 CEST

CC: (none) => guillomovitch, pterjan
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-05-10 21:35:54 CEST 
Perhaps we could devise a better solution to Bug 15881 that I just implemented too.  I guess it has some hard-coded location in which it looks for the PID file.  I fixed it by overriding that in the default config, but it would be better to fix where it's looking for it by default.
Comment 2 Nicolas Lécureuil 2015-05-15 00:36:29 CEST 
in f20 they always update so i think there no "update issues" wdyt ?

CC: (none) => mageia

Comment 3 David Walser 2015-05-15 01:29:31 CEST 
Well Fedora tends to update everything, so their model isn't always appropriate for us, but AFAIK there shouldn't be any problems with updating stunnel to the newest version on Mageia 5.
Comment 4 Sander Lepik 2015-06-27 20:23:31 CEST 
Any progress?

CC: (none) => mageia

Comment 5 David Walser 2015-07-04 02:51:31 CEST 
Upstream issued an advisory for this on March 25:
https://www.stunnel.org/CVE-2015-3644.html

Debian has issued an advisory for this on July 2:
https://www.debian.org/security/2015/dsa-3299

Summary: stunnel new security fix in 5.14 => stunnel new security fix in 5.14 (CVE-2015-3644)

David Walser 2015-07-09 22:41:07 CEST

Assignee: bugsquad => guillomovitch

Comment 6 Sander Lepik 2015-07-12 18:54:25 CEST 
Adding Dan and Shlomi as their packages depend on this one: popa3d and curl.

CC: (none) => dan, shlomif
Hardware: i586 => All

Comment 7 Sander Lepik 2015-07-25 13:04:58 CEST 
So, I updated cauldron to the latest version (5.20) and modified Debian's patch to apply on 5.03. It still needs an advisory and some proper methods for QA to test that it actually fixed the issue. I tried to rebuild curl with this patched version and it still succeeded, so the package itself at least seems to work.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 8 David Walser 2015-07-25 18:14:05 CEST 
Thanks Sander.  It might be better to just update it, but this should solve the immediate issue.  It'd be nice to have a better fix for Bug 15881 too, but it should work for now.

Advisory:
========================

Updated stunnel packages fix security vulnerability:

Johan Olofsson discovered an authentication bypass vulnerability in Stunnel, a
program designed to work as an universal SSL tunnel for network daemons. When
Stunnel in server mode is used with the redirect option and certificate-based
authentication is enabled with "verify = 2" or higher, then only the initial
connection is redirected to the hosts specified with "redirect". This allows a
remote attacker to bypass authentication (CVE-2015-3644).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3644
https://www.stunnel.org/CVE-2015-3644.html
https://www.debian.org/security/2015/dsa-3299
========================

Updated packages in core/updates_testing:
========================
stunnel-5.03-4.1.mga5

from stunnel-5.03-4.1.mga5.src.rpm

Assignee: guillomovitch => qa-bugs

Comment 9 Samuel Verschelde 2015-07-27 12:33:09 CEST 
Testing tips: https://bugs.mageia.org/show_bug.cgi?id=12943#c8
Comment 10 Shlomi Fish 2015-07-27 15:19:21 CEST 
(In reply to Samuel VERSCHELDE from comment #9)
> Testing tips: https://bugs.mageia.org/show_bug.cgi?id=12943#c8

tested per this procedure on a Mageia 5 i586 VBox VM. Everything worked - even more smoothly than was described there (just had to enable https and the higher port). Adding MGA5-32-OK.

Whiteboard: (none) => MGA5-32-OK

Comment 11 Shlomi Fish 2015-07-27 15:39:53 CEST 
Now doing "MGA5-64-OK" because tested this on a Mageia 5 x86-64 laptop and it also is working fine.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 12 Samuel Verschelde 2015-07-27 15:41:55 CEST 
Which gives us a validated update, thanks! It'll only need the advisory to be uploaded.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2015-07-27 19:32:23 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 13 Mageia Robot 2015-07-27 19:45:59 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0289.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED