You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/12/16 16:28:44 UTC

[GitHub] [pulsar] phijohns-tibco opened a new issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

phijohns-tibco opened a new issue #8978:
URL: https://github.com/apache/pulsar/issues/8978


   OpenSSL Security Advisory [08 December 2020]
   ============================================
   
   EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
   ======================================================
   
   Severity: High
   
   The X.509 GeneralName type is a generic type for representing different types
   of names. One of those name types is known as EDIPartyName. OpenSSL provides a
   function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
   to see if they are equal or not. This function behaves incorrectly when both
   GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
   may occur leading to a possible denial of service attack.
   
   OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
   1) Comparing CRL distribution point names between an available CRL and a CRL
     distribution point embedded in an X509 certificate
   2) When verifying that a timestamp response token signer matches the timestamp
     authority name (exposed via the API functions TS_RESP_verify_response and
     TS_RESP_verify_token)
   
   If an attacker can control both items being compared then that attacker could
   trigger a crash. For example if the attacker can trick a client or server into
   checking a malicious certificate against a malicious CRL then this may occur.
   Note that some applications automatically download CRLs based on a URL embedded
   in a certificate. This checking happens prior to the signatures on the
   certificate and CRL being verified. OpenSSL's s_server, s_client and verify
   tools have support for the "-crl_download" option which implements automatic
   CRL downloading and this attack has been demonstrated to work against those
   tools.
   
   Note that an unrelated bug means that affected versions of OpenSSL cannot parse
   or construct correct encodings of EDIPARTYNAME. However it is possible to
   construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
   trigger this attack.
   
   All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL
   releases are out of support and have not been checked.
   
   OpenSSL 1.1.1 users should upgrade to 1.1.1i.
   
   OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
   support customers of OpenSSL 1.0.2 should upgrade to 1.0.2x. Other users should
   upgrade to OpenSSL 1.1.1i.
   
   This issue was reported to OpenSSL on 9th November 2020 by David Benjamin
   (Google). Initial analysis was performed by David Benjamin with additional
   analysis by Matt Caswell (OpenSSL). The fix was developed by Matt Caswell.
   
   Note
   ====
   
   OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
   support is available for premium support customers:
   https://www.openssl.org/support/contracts.html
   
   OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
   The impact of this issue on OpenSSL 1.1.0 has not been analysed.
   
   Users of these versions should upgrade to OpenSSL 1.1.1.
   
   References
   ==========
   
   URL for this Security Advisory:
   openssl.org/news/secadv/20201208.txt
   
   Note: the online version of the advisory may be updated with additional details
   over time.
   
   For details of OpenSSL severity classifications please see:
   openssl.org/policies/secpolicy.html


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco edited a comment on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco edited a comment on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-757368011


   @merlimat Hello I've figured out my roadblocks with this work. A bit of warning I seem to have kicked up an issue on Docker for mac in which I believe the parsing of the Dockerfile is actually incorrect. I can't prove it but I've see the result on multiple mac machines. I don't see this issue on linux, the docker images are built correctly.
   
   How would you like to proceed? I wasn't sure if you would be trying to build the images on a mac or not.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

codelipenghui commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-1058894714


   The issue had no activity for 30 days, mark with Stale label.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-757368011


   @merlimat Hello I've figured out my roadblocks with this work. A bit of warning I seem to have kicked up an issue on Docker for mac in which I believe the parsing of the Dockerfile is actually incorrect. I can't prove it but I've see the result on multiple mac machines. I don't see this issue on linux, the docker images are built correctly.
   
   How would you like to proceed?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-758008841


   Docker issue reference
   https://github.com/docker/distribution/issues/3328


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-757368011


   @merlimat Hello I've figured out my roadblocks with this work. A bit of warning I seem to have kicked up an issue on Docker for mac in which I believe the parsing of the Dockerfile is actually incorrect. I can't prove it but I've see the result on multiple mac machines. I don't see this issue on linux, the docker images are built correctly.
   
   How would you like to proceed?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-749024015


   @merlimat I've run into a couple of hiccups testing against the head. My previous builds worked with 2.7.0 and lower. 
   
   Once I get a clean build I'll submit the docker images.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco edited a comment on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco edited a comment on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-757368011


   @merlimat Hello I've figured out my roadblocks with this work. A bit of warning I seem to have kicked up an issue on Docker for mac in which I believe the parsing of the Dockerfile is actually incorrect. I can't prove it but I've see the result on multiple mac machines. I don't see this issue on linux, the docker images are built correctly.
   
   How would you like to proceed? I wasn't sure if you would be trying to build the images on a mac or not.
   
   After further research I found that it doesn't matter if you are on mac or linux. The issue appears to be with docker 20.10.x. I have a workaround but it is a little ugly. I'm opening an issue with docker and will link it to this issue when I get a chance.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco edited a comment on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco edited a comment on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-757368011


   @merlimat Hello I've figured out my roadblocks with this work. A bit of warning I seem to have kicked up an issue on Docker for mac in which I believe the parsing of the Dockerfile is actually incorrect. I can't prove it but I've see the result on multiple mac machines. I don't see this issue on linux, the docker images are built correctly.
   
   How would you like to proceed? I wasn't sure if you would be trying to build the images on a mac or not.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

merlimat commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-746767496


   @phijohns-tibco please submit the changes to the Dockerfiles and I can help push the images


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] phijohns-tibco commented on issue #8978: OpenSSL needs to be updated to 1.1.1i current version is unsupported.

Posted by GitBox <gi...@apache.org>.

phijohns-tibco commented on issue #8978:
URL: https://github.com/apache/pulsar/issues/8978#issuecomment-746606579


   I have a fix for this issue I just need to know whom to sync up with when it comes to pushing new build images to the docker repo.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org