

DoS exploit in openssl (Debian stable only) - Gobiel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198

======
agl
Previously discussed:
[https://news.ycombinator.com/item?id=7682537](https://news.ycombinator.com/item?id=7682537)

My comment from last time:

Good to note that this was found with KLEE[1]. KLEE is a good for symbolic
execution of code and is very cool[2].

This only triggers a crash if you use RELEASE_BUFFERS (not the default) and a
warning alert is written when the socket buffer is full. About the only case
where a warning alert is generated is when a client attempts a renegotiation
without the renegotiation extension (unless insecure renegotiation is allowed
by the app). I've not been able to trigger the bug in a test because code
generally stops reading once the socket buffer is full so you need the
application to exactly fill the socket buffer (so that it doesn't get EAGAIN),
then a warning alert can just exceed it.

[1] [http://marc.info/?l=openssl-
dev&m=139809493725682&w=2](http://marc.info/?l=openssl-
dev&m=139809493725682&w=2) [2]
[http://klee.github.io/klee/](http://klee.github.io/klee/)

------
calpaterson
I can't see why the headline says this is exclusive to Debian stable - it
applies to any distribution that shipped with OpenSSL 1.0 or greater. The RH
bugtracker only mentions that RHEL5 is immune because they didn't ship OpenSSL
1.0. It seems that several packages enable SSL_MODE_RELEASE_BUFFERS including
ruby and node:

[https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1](https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1)

------
itamarhaber
Good thing this only affects %29.8 of Linux distros out there
([http://w3techs.com/technologies/details/os-
linux/all/all](http://w3techs.com/technologies/details/os-linux/all/all)) :P

------
0x0
I don't think this is Debian stable only?

~~~
click170
Not only does this not seem to mention Debian at all, it links to a redhad bug
tracker. Where is the Debian component coming from re the title? Sounds like
maybe someone has their hate on for Debian to me.

~~~
aroch
I mean, it does impact only the Stable release of Debian [0] but no more than
really any other distro or release which uses a vulnerable version of OpenSSL.
Any sane person on deb-stable should be on the seclist for updates anyway

[0]: [https://security-
tracker.debian.org/tracker/CVE-2014-0198](https://security-
tracker.debian.org/tracker/CVE-2014-0198)

------
jtwaleson
Does anyone know which packages have SSL_MODE_RELEASE_BUFFERS enabled and are
vulnerable?

~~~
calpaterson
The linked RH bugtracker mentions ruby and node:

[https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1](https://bugzilla.redhat.com/show_bug.cgi?id=1093837#c1)

