Linux Mint Forums

Welcome to the Linux Mint forums!
https://forums.linuxmint.com/

SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

https://forums.linuxmint.com/viewtopic.php?t=180418

Page 2 of 2

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Wed Oct 22, 2014 9:29 am
by Monsta
Yes, there's a kind of inconsistency here.
While Package Tracking System page shows that 1.0.1j-1 is in Testing, the actual package info page still shows 1.0.1i-2.
I think it's because not all the mirrors have been updated yet.

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Wed Oct 22, 2014 1:51 pm
by zerozero
the version that fixes the "POODLE" vulnerability is 1.0.1j-1, entered testing yesterday

Code: Select all

Start-Date: 2014-10-21  08:24:35
Commandline: apt-get dist-upgrade
Upgrade: man-db:amd64 (2.7.0.2-1, 2.7.0.2-2), libssl1.0.0:amd64 (1.0.1i-2, 1.0.1j-1), libssl1.0.0:i386 (1.0.1i-2, 1.0.1j-1), libgail18:amd64 (2.24.24-1, 2.24.25-1), libgail18:i386 (2.24.24-1, 2.24.25-1), libwxbase3.0-0:amd64 (3.0.1-3, 3.0.2-1+b1), openssh-server:amd64 (6.6p1-8, 6.7p1-2), grub-common:amd64 (2.02~beta2-14, 2.02~beta2-15), libsigc++-2.0-0c2a:amd64 (2.2.11-4, 2.4.0-1), libsigc++-2.0-0c2a:i386 (2.2.11-4, 2.4.0-1), gtk2-engines-pixbuf:amd64 (2.24.24-1, 2.24.25-1), gtk2-engines-pixbuf:i386 (2.24.24-1, 2.24.25-1), openssh-sftp-server:amd64 (6.6p1-8, 6.7p1-2), libappstream-dev:amd64 (0.7.2-1, 0.7.3-1), libgtk2.0-bin:amd64 (2.24.24-1, 2.24.25-1), libgtk2.0-common:amd64 (2.24.24-1, 2.24.25-1), python-cryptography:amd64 (0.6-1, 0.6.1-1), gir1.2-gtk-2.0:amd64 (2.24.24-1, 2.24.25-1), grub2-common:amd64 (2.02~beta2-14, 2.02~beta2-15), ssh:amd64 (6.6p1-8, 6.7p1-2), openssh-client:amd64 (6.6p1-8, 6.7p1-2), libgtk2.0-0:amd64 (2.24.24-1, 2.24.25-1), libgtk2.0-0:i386 (2.24.24-1, 2.24.25-1), grub-pc-bin:amd64 (2.02~beta2-14, 2.02~beta2-15), libsub-identify-perl:amd64 (0.04-2+b1, 0.08-1), grub-pc:amd64 (2.02~beta2-14, 2.02~beta2-15), libwxgtk3.0-0:amd64 (3.0.1-3, 3.0.2-1+b1), wpasupplicant:amd64 (2.2-1, 2.3-1), libssl-doc:amd64 (1.0.1i-2, 1.0.1j-1), libappstream1:amd64 (0.7.2-1, 0.7.3-1), openssl:amd64 (1.0.1i-2, 1.0.1j-1), liborcus-0.8-0:amd64 (0.7.0+dfsg-7, 0.7.0+dfsg-9), libgtk2.0-dev:amd64 (2.24.24-1, 2.24.25-1), libgail-common:i386 (2.24.24-1, 2.24.25-1)
End-Date: 2014-10-21  08:26:14

Code: Select all

openssl (1.0.1j-1) unstable; urgency=high

  * New upstream release
    - Fixes CVE-2014-3513
    - Fixes CVE-2014-3567
    - Add Fallback SCSV support to mitigate CVE-2014-3566
    - Fixes CVE-2014-3568
  * Disables SSLv3 because of CVE-2014-3566
  * Update dgst_hmac.patch to apply to new upstream version
  * Drop rehash_pod.patch, applied upstream
  * Fix openssl_fix_for_x32.patch to apply to new upstream version

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 15 Oct 2014 19:06:38 +0200

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Thu Oct 23, 2014 3:38 am
by Monsta
Ok, now I see it in the nearest mirror as well. But it still looks like not all the mirrors are up-to-date yet.

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Sat Oct 25, 2014 6:46 am
by Monsta
Ok, openssl 1.0.1j-1 is in LMDE repo now.

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Thu Oct 30, 2014 5:26 am
by wibrt
This bug also exists in evolution

Debian Bug link + patch proposal from redhat source:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=765838

Remark:
The version in lmde is
evolution 3.8.5-2+b1
The version in debian/testing is
Package: evolution (3.12.6-1)
cf https://packages.debian.org/jessie/evolution

Poodle SSL version 3 exploit. Is it fixed? Also Firefox 28

Posted: Wed Dec 03, 2014 6:51 pm
by Spearmint2
http://chrisburgess.com.au/how-to-test- ... erability/

https://zmap.io/sslv3/

https://www.openssl.org/~bodo/ssl-poodle.pdf

https://technet.microsoft.com/en-us/lib ... 09008.aspx

https://access.redhat.com/articles/1232123

https://www.poodletest.com/

Is Mint 17 using SSL at all? I did find in package manager libnss3 but it's info only mentions sslv2 and v4, not version 3. When I run a search there for sslv3 I do find other packages, but none which are installed in Mint 17. Is the vulnerability only with the browser then?
SSL3_Firefox28.png
TLS-firefox28.png

As you can see the FF28 seems to have all SSL3 and also TLS available. Would removing all the SSL3 solve it's vulnerability? Force it to use TLS only?

Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox

Posted: Wed Dec 03, 2014 7:24 pm
by Spearmint2
I found this;

http://security.stackexchange.com/quest ... nerability
Firefox

Firefox users can type about:config into their address bar and then security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1. The existing setting allows Firefox to use SSLv3 where it's available and if it's required. By changing the setting you will force Firefox to only ever use TLSv1.0 or better, which is not vulnerable to POODLE.
I also previously changed all those SSL3 settings in Firefox 28 to "false". So far no problems signing in to several sites I use. I'll have to keep an eye on it for awhile.

Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox

Posted: Wed Dec 03, 2014 7:27 pm
by karlchen
Everything that had to be told about the "Poodle" vulnerability had been collected in this thread: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

This is where this thread will be merged into ...

Karl

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Wed Dec 03, 2014 7:30 pm
by Spearmint2
thanks Karl, only noticed it mentioned elsewhere recently. Seemed fairly new.

Also, don't change the SSL3 settings if you use yahoo or aol mail, and probably other webmail, it interferes. It will still pass the poodle test as being corrected with just that TLS fix.

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Sat Dec 06, 2014 8:21 am
by karlchen
Hi, Culex.

I have my doubts that Symantec, to whom you addressed your question, is very likely to monitor the Linux Mint forum and to give any answers about their Windows software here. Or did I miss something perhaps?

Cheers,
Karl

Turla. Poodle Attack on TLS.

Posted: Wed Dec 10, 2014 12:17 am
by Spearmint2
Turla

http://arstechnica.com/security/2014/12 ... for-years/

https://securelist.com/blog/research/67 ... n-turla-2/


Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems.

"The [Turla] operations are being carried out in broader environments than we previously knew," Kaspersky Lab expert Kurt Baumgartner told Ars. "All the other stuff we've seen from Turla has been windows based. This piece of the puzzle shows us that they do not limit themselves."
Magic Numbers

Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways." Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or 80.248.65.183, which are the addresses of known command and control channels hardcoded into the Linux trojan. (more at link)

Poodle vs TLS

http://www.net-security.org/secworld.php?id=17735

Re: Poodle SSL version 3 exploit. Is it fixed? Also Firefox

Posted: Thu Dec 11, 2014 8:46 pm
by MtnDewManiac
Spearmint2 wrote:I also previously changed all those SSL3 settings in Firefox 28 to "false". So far no problems signing in to several sites I use. I'll have to keep an eye on it for awhile.
I just checked and our current version of Firefox (via Update Manager) is 34.0 - does any of this still need to be done, or has it been taken care of by the Mozilla team in this version?

Regards,
MDM

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Thu Dec 11, 2014 9:31 pm
by r00t
https://blog.mozilla.org/security/2014/ ... f-ssl-3-0/

tl;dr SSLv3 is disabled in firefox 34 (according to that article)

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Posted: Fri Dec 12, 2014 2:58 pm
by grano salis
I have ff 34.0 and checked the settings:

edit: removed attempted image insert - I got it wrong....

NOTE: I've not used an image before, in case I get it wrong, the data is:
PREFERENCE NAME / STATUS / TYPE / VALUE
security.tls.version.min;1 / default / integer / 1
services.sync.prefs.sync.security.tls.version.min / default / boolean / true
All times are UTC-04:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited