17621 – openldap should enforce minimum DH size of 1024 to avoid LOGJAM issues

Bug 17621 - openldap should enforce minimum DH size of 1024 to avoid LOGJAM issues

Summary: openldap should enforce minimum DH size of 1024 to avoid LOGJAM issues

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-01-25 17:47 CET by David Walser
Modified:	2017-12-27 00:42 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	openldap-2.4.40-3.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-01-25 17:47:55 CET

OpenSuSE has issued an advisory today (January 25):
http://lists.opensuse.org/opensuse-updates/2016-01/msg00090.html

We already fixed CVE-2015-6908.  OpenSuSE patch for CVE-2015-4000 (LOGJAM) checked into Mageia 5 and Cauldron SVN to be included in the next update.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2016-01-25 17:49:12 CET

Patch came from this bug:
https://bugzilla.suse.com/show_bug.cgi?id=937766

Comment 2 Samuel Verschelde 2016-02-02 14:51:48 CET

Assigning to packagers collectively, with the (mostly inactive AFAIK) maintainer in CC.

CC: (none) => bgmilne
Assignee: bugsquad => pkg-bugs

Comment 3 Buchan Milne 2016-02-02 15:42:09 CET

There doesn't seem to have been an upstream issue logged by SUSE.

I would prefer a patch vetted by upstream.

Comment 4 Buchan Milne 2016-02-10 10:00:46 CET

BTW., the upstream fix for this was applied to OpenLDAP master / 2.5 in Sept 2013 in ITS 7506 (http://www.openldap.org/its/index.cgi?findid=7506 ). But this hasn't been merged into the 2.4 release branch.

The patch takes a slightly different approach (allowing DH parameters to be provided in a file, similar to as using something like this on Apache
SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
)

If using cn=config, this would be used like this:
olcTLSDHParamFile: /path/to/dhparams.pem

In the event of a DH parameters file not being configured, the code now uses a static 1024-bit DH parameter (apparently the DH parameter selection of the larger parameters was not working).

So, without any configuration, the net effect will be the same, 1024-bit DH parameters, but configuration would actually allow the use of bigger DH parameters.

I am trying to find out from upstream if there is a reason the changes merged into master haven't made it to the 2.4 release branch.

Comment 5 Nicolas Lécureuil 2016-11-18 12:34:05 CET

do you have new infos about this bug ?

CC: (none) => mageia

Comment 6 David Walser 2016-11-18 13:01:01 CET

Don't worry about it.  The patch is already in SVN, so it will be fixed if we have to issue another update for this package.

Comment 7 Nicolas Lécureuil 2017-08-18 17:37:22 CEST

then this is on updates_testing with the other issue ?
( the one we need to fix the tests ;) )

Comment 8 David Walser 2017-08-18 18:46:26 CEST

I think it's obsoleted by the version update.  If we fix the tests and issue the update we can mark this as fixed too.

Comment 9 David Walser 2017-12-27 00:42:39 CET

Patch was removed in the update for Bug 21003.  May or may not have been fixed upstream.

Resolution: (none) => OLD
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.