SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Monsta
Level 10
Level 10
Posts: 3071
Joined: Fri Aug 19, 2011 3:46 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by Monsta »

Yes, there's a kind of inconsistency here.
While Package Tracking System page shows that 1.0.1j-1 is in Testing, the actual package info page still shows 1.0.1i-2.
I think it's because not all the mirrors have been updated yet.
zerozero

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by zerozero »

the version that fixes the "POODLE" vulnerability is 1.0.1j-1, entered testing yesterday

Code: Select all

Start-Date: 2014-10-21  08:24:35
Commandline: apt-get dist-upgrade
Upgrade: man-db:amd64 (2.7.0.2-1, 2.7.0.2-2), libssl1.0.0:amd64 (1.0.1i-2, 1.0.1j-1), libssl1.0.0:i386 (1.0.1i-2, 1.0.1j-1), libgail18:amd64 (2.24.24-1, 2.24.25-1), libgail18:i386 (2.24.24-1, 2.24.25-1), libwxbase3.0-0:amd64 (3.0.1-3, 3.0.2-1+b1), openssh-server:amd64 (6.6p1-8, 6.7p1-2), grub-common:amd64 (2.02~beta2-14, 2.02~beta2-15), libsigc++-2.0-0c2a:amd64 (2.2.11-4, 2.4.0-1), libsigc++-2.0-0c2a:i386 (2.2.11-4, 2.4.0-1), gtk2-engines-pixbuf:amd64 (2.24.24-1, 2.24.25-1), gtk2-engines-pixbuf:i386 (2.24.24-1, 2.24.25-1), openssh-sftp-server:amd64 (6.6p1-8, 6.7p1-2), libappstream-dev:amd64 (0.7.2-1, 0.7.3-1), libgtk2.0-bin:amd64 (2.24.24-1, 2.24.25-1), libgtk2.0-common:amd64 (2.24.24-1, 2.24.25-1), python-cryptography:amd64 (0.6-1, 0.6.1-1), gir1.2-gtk-2.0:amd64 (2.24.24-1, 2.24.25-1), grub2-common:amd64 (2.02~beta2-14, 2.02~beta2-15), ssh:amd64 (6.6p1-8, 6.7p1-2), openssh-client:amd64 (6.6p1-8, 6.7p1-2), libgtk2.0-0:amd64 (2.24.24-1, 2.24.25-1), libgtk2.0-0:i386 (2.24.24-1, 2.24.25-1), grub-pc-bin:amd64 (2.02~beta2-14, 2.02~beta2-15), libsub-identify-perl:amd64 (0.04-2+b1, 0.08-1), grub-pc:amd64 (2.02~beta2-14, 2.02~beta2-15), libwxgtk3.0-0:amd64 (3.0.1-3, 3.0.2-1+b1), wpasupplicant:amd64 (2.2-1, 2.3-1), libssl-doc:amd64 (1.0.1i-2, 1.0.1j-1), libappstream1:amd64 (0.7.2-1, 0.7.3-1), openssl:amd64 (1.0.1i-2, 1.0.1j-1), liborcus-0.8-0:amd64 (0.7.0+dfsg-7, 0.7.0+dfsg-9), libgtk2.0-dev:amd64 (2.24.24-1, 2.24.25-1), libgail-common:i386 (2.24.24-1, 2.24.25-1)
End-Date: 2014-10-21  08:26:14

Code: Select all

openssl (1.0.1j-1) unstable; urgency=high

  * New upstream release
    - Fixes CVE-2014-3513
    - Fixes CVE-2014-3567
    - Add Fallback SCSV support to mitigate CVE-2014-3566
    - Fixes CVE-2014-3568
  * Disables SSLv3 because of CVE-2014-3566
  * Update dgst_hmac.patch to apply to new upstream version
  * Drop rehash_pod.patch, applied upstream
  * Fix openssl_fix_for_x32.patch to apply to new upstream version

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 15 Oct 2014 19:06:38 +0200
Monsta
Level 10
Level 10
Posts: 3071
Joined: Fri Aug 19, 2011 3:46 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by Monsta »

Ok, now I see it in the nearest mirror as well. But it still looks like not all the mirrors are up-to-date yet.
Monsta
Level 10
Level 10
Posts: 3071
Joined: Fri Aug 19, 2011 3:46 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by Monsta »

Ok, openssl 1.0.1j-1 is in LMDE repo now.
wibrt

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by wibrt »

This bug also exists in evolution

Debian Bug link + patch proposal from redhat source:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=765838

Remark:
The version in lmde is
evolution 3.8.5-2+b1
The version in debian/testing is
Package: evolution (3.12.6-1)
cf https://packages.debian.org/jessie/evolution
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Poodle SSL version 3 exploit. Is it fixed? Also Firefox 28

Post by Spearmint2 »

http://chrisburgess.com.au/how-to-test- ... erability/

https://zmap.io/sslv3/

https://www.openssl.org/~bodo/ssl-poodle.pdf

https://technet.microsoft.com/en-us/lib ... 09008.aspx

https://access.redhat.com/articles/1232123

https://www.poodletest.com/

Is Mint 17 using SSL at all? I did find in package manager libnss3 but it's info only mentions sslv2 and v4, not version 3. When I run a search there for sslv3 I do find other packages, but none which are installed in Mint 17. Is the vulnerability only with the browser then?
SSL3_Firefox28.png
TLS-firefox28.png

As you can see the FF28 seems to have all SSL3 and also TLS available. Would removing all the SSL3 solve it's vulnerability? Force it to use TLS only?
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox

Post by Spearmint2 »

I found this;

http://security.stackexchange.com/quest ... nerability
Firefox

Firefox users can type about:config into their address bar and then security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1. The existing setting allows Firefox to use SSLv3 where it's available and if it's required. By changing the setting you will force Firefox to only ever use TLSv1.0 or better, which is not vulnerable to POODLE.
I also previously changed all those SSL3 settings in Firefox 28 to "false". So far no problems signing in to several sites I use. I'll have to keep an eye on it for awhile.
Last edited by Spearmint2 on Wed Dec 03, 2014 7:29 pm, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
User avatar
karlchen
Level 23
Level 23
Posts: 18173
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox

Post by karlchen »

Everything that had to be told about the "Poodle" vulnerability had been collected in this thread: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

This is where this thread will be merged into ...

Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by Spearmint2 »

thanks Karl, only noticed it mentioned elsewhere recently. Seemed fairly new.

Also, don't change the SSL3 settings if you use yahoo or aol mail, and probably other webmail, it interferes. It will still pass the poodle test as being corrected with just that TLS fix.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
User avatar
karlchen
Level 23
Level 23
Posts: 18173
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by karlchen »

Hi, Culex.

I have my doubts that Symantec, to whom you addressed your question, is very likely to monitor the Linux Mint forum and to give any answers about their Windows software here. Or did I miss something perhaps?

Cheers,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
Spearmint2
Level 16
Level 16
Posts: 6900
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Turla. Poodle Attack on TLS.

Post by Spearmint2 »

Turla

http://arstechnica.com/security/2014/12 ... for-years/

https://securelist.com/blog/research/67 ... n-turla-2/


Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems.

"The [Turla] operations are being carried out in broader environments than we previously knew," Kaspersky Lab expert Kurt Baumgartner told Ars. "All the other stuff we've seen from Turla has been windows based. This piece of the puzzle shows us that they do not limit themselves."
Magic Numbers

Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways." Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. (more at link)

Poodle vs TLS

http://www.net-security.org/secworld.php?id=17735
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
MtnDewManiac
Level 6
Level 6
Posts: 1491
Joined: Fri Feb 22, 2013 5:18 pm
Location: United States

Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox

Post by MtnDewManiac »

Spearmint2 wrote:I also previously changed all those SSL3 settings in Firefox 28 to "false". So far no problems signing in to several sites I use. I'll have to keep an eye on it for awhile.
I just checked and our current version of Firefox (via Update Manager) is 34.0 - does any of this still need to be done, or has it been taken care of by the Mozilla team in this version?

Regards,
MDM
Mint 18 Xfce 4.12.

If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
r00t

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by r00t »

https://blog.mozilla.org/security/2014/ ... f-ssl-3-0/

tl;dr SSLv3 is disabled in firefox 34 (according to that article)
grano salis

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by grano salis »

I have ff 34.0 and checked the settings:

edit: removed attempted image insert - I got it wrong....

NOTE: I've not used an image before, in case I get it wrong, the data is:
PREFERENCE NAME / STATUS / TYPE / VALUE
security.tls.version.min;1 / default / integer / 1
services.sync.prefs.sync.security.tls.version.min / default / boolean / true
Post Reply

Return to “Releases & Announcements”