-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some nginx TLS tests started failing with LibreSSL 2.5.3 (but not with 2.4.4) #307
Comments
Same or similiar results with the nginx port in |
I think its this commit [0] together with the nginxs [0] libressl/openbsd@ddd98f8 |
I’ve tries to rebuild LibreSSL 2.5.3 with reverted libressl/openbsd@ddd98f8 and now all nginx tests pass! |
Please read responses from the nginx team in https://trac.nginx.org/nginx/ticket/1257#comment:4. According to them it’s not problem on their said and it seems for us that they are right. |
Thanks for digging into the issue and reporting this. It seems that the change does indeed break the documented API - we're looking into solutions and will follow up soon. |
this regression being a security issue, have we got a CVE yet? |
I have seen no CVE for this issue. Perhaps nginx has one.
…On Wed, Apr 26, 2017 at 09:08:21PM -0700, William Pitcock wrote:
this regression being a security issue, have we got a CVE yet?
--
You are receiving this because you were assigned.
Reply to this email directly or view it on GitHub:
#307 (comment)
|
And before you ask, no we do not request them. If the discoverer of the
issue wishes to do so, that's fine.
…On Wed, Apr 26, 2017 at 10:23 PM, Bob Beck ***@***.***> wrote:
I have seen no CVE for this issue. Perhaps nginx has one.
On Wed, Apr 26, 2017 at 09:08:21PM -0700, William Pitcock wrote:
> this regression being a security issue, have we got a CVE yet?
>
> --
> You are receiving this because you were assigned.
> Reply to this email directly or view it on GitHub:
> #307
issuecomment-297606290
|
Since this seems to affect at least two widely-used software packages severely if used together with LibreSSL, we opted to request a CVE for this. |
CVE-2017-8301 has been assigned for this issue. |
This has been reverted upstream - errata/release to follow soon. |
Once the portable 2.5.4 heads out (shortly) I will close this out. |
Errata released, and fixed in portable libressl 2.5.4 |
thanks. |
Contains a fix for CVE-2017-8301: TLS verification vulnerability in LibreSSL 2.5.1 - 2.5.3 [1][2] [1]: http://seclists.org/oss-sec/2017/q2/145 [2]: libressl/portable#307
Contains a fix for CVE-2017-8301: TLS verification vulnerability in LibreSSL 2.5.1 - 2.5.3 [1][2] [1]: http://seclists.org/oss-sec/2017/q2/145 [2]: libressl/portable#307 (cherry picked from commit e2bc4e4)
Contains a fix for CVE-2017-8301: TLS verification vulnerability in LibreSSL 2.5.1 - 2.5.3 [1][2] [1]: http://seclists.org/oss-sec/2017/q2/145 [2]: libressl/portable#307 (cherry picked from commit e2bc4e4)
After we updated LibreSSL from 2.4.4. to 2.5.3 in Alpine Linux, we have noticed that some TLS-related tests in nginx (both 1.10.3 and 1.12.0) started failing. Moreover, most of them fail because nginx accepted certificate that should be rejected! That’s pretty bad regression.
We’re not sure if the problem is in LibreSSL, nginx or nginx-tests, so reporting it to both. Nginx bug report: https://trac.nginx.org/nginx/ticket/1257.
People from VoidLinux have reproduced this issue too, on glibc.
Complete log: http://tpaste.us/Ynw6 or nginx-tests.log.txt
/cc @ncopa
The text was updated successfully, but these errors were encountered: