<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type><!-- flashmail style begin -->
<STYLE type=text/css>
body {border-width:0;margin:0}
img {border:0;margin:0;padding:0}
</STYLE>
<BASE target=_blank><!-- flashmail style end -->
<META name=GENERATOR content="MSHTML 11.00.9600.19678"></HEAD>
<BODY
style="BORDER-LEFT-WIDTH: 0px; FONT-SIZE: 10.5pt; FONT-FAMILY: ΢ÈíÑźÚ; BORDER-RIGHT-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; COLOR: #000000; MARGIN: 12px; LINE-HEIGHT: 1.5; BORDER-TOP-WIDTH: 0px"
marginheight="0" marginwidth="0">
<DIV>Thanks Joseph.</DIV>
<DIV> </DIV>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; COLOR: #c0c0c0"
align=left>2020-05-08
<HR id=SignNameHR
style="BORDER-TOP: #c0c0c0 1px solid; HEIGHT: 1px; BORDER-RIGHT: 0px; WIDTH: 122px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px"
align=left>
<SPAN id=_FlashSignName>chunhui.jia</SPAN> </DIV>
<HR
style="BORDER-TOP: #c0c0c0 1px solid; HEIGHT: 1px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px">
<BLOCKQUOTE id=ntes-flashmail-quote
style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana; PADDING-LEFT: 0px; MARGIN-LEFT: 0px">
<DIV><STRONG>发件人:</STRONG>Joseph Reynolds <jrey@linux.ibm.com></DIV>
<DIV><STRONG>发送时间:</STRONG>2020-05-08 00:54</DIV>
<DIV><STRONG>主题:</STRONG>Re: openssl upgrade CVE-2020-1967</DIV>
<DIV><STRONG>收件人:</STRONG>"chunhui.jia"<chunhui.jia@linux.intel.com>,"Brad
Bishop"<bradleyb@fuzziesquirrel.com></DIV>
<DIV><STRONG>抄送:</STRONG>"Bills, Jason
M"<jason.m.bills@linux.intel.com>,"Vernon
Mauery"<vernon.mauery@linux.intel.com>,"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org>,"James
Feist"<james.feist@linux.intel.com></DIV>
<DIV> </DIV>
<DIV>
<DIV>On 5/7/20 2:43 AM, chunhui.jia wrote: </DIV>
<DIV>> Brad, </DIV>
<DIV>> There is a CVE reported in openSSL 1.1.1d (used by current openbmc). </DIV>
<DIV>> Severity is high. </DIV>
<DIV>> </DIV>
<DIV>> CVE-2020-1967 <https://nvd.nist.gov/vuln/detail/CVE-2020-1967> </DIV>
<DIV>> https://nvd.nist.gov/vuln/detail/CVE-2020-1967 </DIV>
<DIV>> Server or client applications that call the SSL_check_chain() function </DIV>
<DIV>> during or after a TLS 1.3 handshake may crash due to a NULL pointer </DIV>
<DIV>> dereference as a result of incorrect handling of the </DIV>
<DIV>> "signature_algorithms_cert" TLS extension. The crash occurs if an </DIV>
<DIV>> invalid or unrecognised signature algorithm is received from the peer. </DIV>
<DIV>> This could be exploited by a malicious peer in a Denial of Service </DIV>
<DIV>> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by </DIV>
<DIV>> this issue. This issue did not affect OpenSSL versions prior to </DIV>
<DIV>> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). </DIV>
<DIV>> </DIV>
<DIV> </DIV>
<DIV>Thanks for reporting this. According to OpenBMC network security </DIV>
<DIV>considerations [1], SSL (and specifically OpenSSL) is used in two </DIV>
<DIV>places: the dropbear SSH server [2] and the BMCWeb HTTPS server [3]. I </DIV>
<DIV>don't see any references to the defective function (SSL_check_chain) in </DIV>
<DIV>those code bases or in any other OpenBMC code. I've CC'd the BMCWeb </DIV>
<DIV>maintainers to help check this. If that is all true, the OpenBMC is not </DIV>
<DIV>affected. </DIV>
<DIV> </DIV>
<DIV>I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release </DIV>
<DIV>[4] which does use OpenSSL 1.1.1g [5]. </DIV>
<DIV> </DIV>
<DIV>- Joseph </DIV>
<DIV> </DIV>
<DIV>[1]: </DIV>
<DIV>https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md </DIV>
<DIV>[2]: https://github.com/mkj/dropbear </DIV>
<DIV>[3]: https://github.com/openbmc/bmcweb </DIV>
<DIV>[4]: https://wiki.yoctoproject.org/wiki/Releases </DIV>
<DIV>[5]: </DIV>
<DIV>https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl?h=dunfell </DIV>
<DIV> </DIV>
<DIV>> It is fixed in 1.1.1g. Upstream recipe already point openssl to </DIV>
<DIV>> latest version (1.1.1g). </DIV>
<DIV>> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb </DIV>
<DIV>> Will you update poky subtree to latest? </DIV>
<DIV> </DIV></DIV></BLOCKQUOTE></BODY></HTML>