Chris Lamb writes:
> No. With my FD hat on, I went ahead and did this. :)
Thanks!
--
Brian May
Brian May wrote:
> Ok, so looks like I should be able to add the following line:
>
> matrixssl 1.8.8-1 2016-09-08 Not supported in
> Debian LTS (https://lists.debian.org/debian-lts/2016/09/msg00030.html)
>
> To security-support-ended.deb7 and push to
> ssh://git.d
Ben Hutchings writes:
> This should be done by updating the debian-security-support package.
> I'm not sure whether there's any need to batch changes there.
> Unfortunately it looks like it has to be updated in jessie before
> wheezy due to its date-based versioning.
>
> After updating it, issue
On Wed, 2016-09-07 at 07:38 +1000, Brian May wrote:
> > Ben Hutchings writes:
>
> >
> > So let's add it to the unsupported packages list.
>
> Sounds like a good idea. Not sure we really should be supporting
> encryption libraries that only support SSLv3.
>
> How do we add packages to the unsup
On Wed, 2016-09-07 at 07:43 +1000, Brian May wrote:
> > Brian May writes:
>
> >
> > How do we add packages to the unsupported list? Is this something I can
> > do?
>
> Possibly somebody has already done this, I see it is listed as
> in data/CVE/list.
No, that only means it was removed from un
Brian May writes:
> How do we add packages to the unsupported list? Is this something I can
> do?
Possibly somebody has already done this, I see it is listed as
in data/CVE/list.
--
Brian May
Ben Hutchings writes:
> So let's add it to the unsupported packages list.
Sounds like a good idea. Not sure we really should be supporting
encryption libraries that only support SSLv3.
How do we add packages to the unsupported list? Is this something I can
do?
--
Brian May
On Mon, 2016-09-05 at 18:16 +1000, Brian May wrote:
> > Christopher Samuel writes:
>
> >
> > I found that error reported in an unrelated bug report, the solution
> > seems to be:
> >
> > https://bugs.contribs.org/show_bug.cgi?id=7664#c4
>
> Thanks for this. Finally got it working...
>
> ...BU
Hi Brian
I think we should state no-dsa for this.
Matrixssl is very seldomly used. According to popcon there are in
total 75 users.
https://qa.debian.org/popcon.php?package=matrixssl
Considering that it is really hard to reproduce (or impossible) and
lack of users I think we should spend our eff
Brian May writes:
> Ok, managed to rebuild the Debian package with ssl3 support enabled. It
> appears to work. Will try the exploit. Still leaves me wondering if it
> is actually worth fixing security issues in matrixssl.
Hmmm.. Interesting. Wheezy version appears to be not vulnerable to these
ex
Christopher Samuel writes:
> I found that error reported in an unrelated bug report, the solution
> seems to be:
>
> https://bugs.contribs.org/show_bug.cgi?id=7664#c4
Thanks for this. Finally got it working...
...BUT matrixssl is SSLv3 only. openssl in sid - which seems to be
required for the e
On 02/09/16 18:42, Brian May wrote:
> sslio[8259]: fatal: unable to read cert or key file: no error
I found that error reported in an unrelated bug report, the solution
seems to be:
https://bugs.contribs.org/show_bug.cgi?id=7664#c4
> I have been hit by the problem lamented by Jean Franco whiel
Guido Günther writes:
> It has a link:
>
> "I created a patch against openssl that allows to test this." ->
> https://github.com/hannob/bignum-fuzz/blob/master/openssl-break-rsa-values.diff
>
> This allows to crash the matrix ssl server.
Ok, thanks. That looks like you can test it if you can set
Hi Brian,
On Thu, Sep 01, 2016 at 05:41:19PM +1000, Brian May wrote:
> Guido Günther writes:
>
> > There are exploits mentioned in the paper. I think we should test them
> > before releasing a DLA.
>
> What paper are you referring to here?
>
> There is the blog post here:
>
> https://blog.fuzz
Guido Günther writes:
> There are exploits mentioned in the paper. I think we should test them
> before releasing a DLA.
What paper are you referring to here?
There is the blog post here:
https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
However I don't see
Hi Ola,
On Tue, Aug 23, 2016 at 08:39:29AM +0200, Ola Lundqvist wrote:
> Hi Guido
>
> Brian wrote in his mail that he had not tried to reproduce the crash.
> Quote:
> "...although I don't have any exploits test it with."
There are exploits mentioned in the paper. I think we should test them
befor
Hi Guido
Brian wrote in his mail that he had not tried to reproduce the crash.
Quote:
"...although I don't have any exploits test it with."
Best regards
// Ola
On Tue, Aug 23, 2016 at 7:22 AM, Guido Günther wrote:
> On Mon, Aug 22, 2016 at 06:15:33PM +1000, Brian May wrote:
>> Brian May write
On Mon, Aug 22, 2016 at 06:15:33PM +1000, Brian May wrote:
> Brian May writes:
>
> > I will have a look and see if I can hack^h^h^h^hpatch the Debian package
> > to include the above security fix; although I don't have any exploits
> > test it with.
>
> Ok, I have attached my proposed debdiff pa
Brian May writes:
> I will have a look and see if I can hack^h^h^h^hpatch the Debian package
> to include the above security fix; although I don't have any exploits
> test it with.
Ok, I have attached my proposed debdiff patch. It builds using sbuild. I
haven't claimed this package, and unlikely
Guido Günther writes:
> They are basically identical but the git version got a length check
> added in 3.8.4 which is missing in Wheezy and which is responsible for
> the crashes detailed here:
>
>
> https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
>
> I di
Hi Brian,
On Thu, Aug 18, 2016 at 07:24:55AM +0200, Guido Günther wrote:
> Hi Brian,
> On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote:
> > Guido Günther writes:
> >
> > > As I wrote in dla-needed.txt the bignum handling is in
> > > crypto/peersec/mpi.c and it seems to use the same algo
Hi Brian,
On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote:
> Guido Günther writes:
>
> > As I wrote in dla-needed.txt the bignum handling is in
> > crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks
> > the same checks in e.g. mp_exptmod) so I marked it as
> > vulne
Guido Günther writes:
> As I wrote in dla-needed.txt the bignum handling is in
> crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks
> the same checks in e.g. mp_exptmod) so I marked it as
> vulnerable. Porting back the fixes from the current version will be
> difficult though
On Thu, Aug 11, 2016 at 07:00:03PM +1000, Brian May wrote:
> Ola Lundqvist writes:
>
> > This is a very large commit but from
> > https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
> > it looks like it is the following files that were updated:
> > - crypto/math/
Hi
You seem to come to the same conclusion as I do.
The implementation of pstm_exptmod and mp_exptmod is considerably different.
They most likely have different set of vulnerabilities.
So let us take a look at what applications that may use matrixssl. The
reverse dependencies are: ipsvd and twoft
Ola Lundqvist writes:
> This is a very large commit but from
> https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
> it looks like it is the following files that were updated:
> - crypto/math/pstm.c
> - crypto/pubkey/dh.c
> - crypto/pubkey/rsa.c
The rsa.c patch
Hi Brian
After some investigation I found the fix here:
https://github.com/matrixssl/matrixssl/commit/57d20a6e85a9cd570884aba686368dd77511d866
This is a very large commit but from
https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
it looks like it is the followi
Brian May writes:
> Had a quick look at the matrixssl security vulnerability.
>
> Unfortunately, finding it difficult to work out which of the upstream
> changes fixes this.
Was meaning to be more informative here, unfortunately the train I was
travelling on unexpectedly terminated prematurely.
28 matches
Mail list logo
