openssl upgrade CVE-2020-1967
chunhui.jia at linux.intel.com
Fri May 8 10:27:57 AEST 2020
发件人：Joseph Reynolds <jrey at linux.ibm.com>
主题：Re: openssl upgrade CVE-2020-1967
收件人："chunhui.jia"<chunhui.jia at linux.intel.com>,"Brad Bishop"<bradleyb at fuzziesquirrel.com>
抄送："Bills, Jason M"<jason.m.bills at linux.intel.com>,"Vernon Mauery"<vernon.mauery at linux.intel.com>,"openbmc at lists.ozlabs.org"<openbmc at lists.ozlabs.org>,"James Feist"<james.feist at linux.intel.com>
On 5/7/20 2:43 AM, chunhui.jia wrote:
> There is a CVE reported in openSSL 1.1.1d (used by current openbmc).
> Severity is high.
> CVE-2020-1967 <https://nvd.nist.gov/vuln/detail/CVE-2020-1967>
> Server or client applications that call the SSL_check_chain() function
> during or after a TLS 1.3 handshake may crash due to a NULL pointer
> dereference as a result of incorrect handling of the
> "signature_algorithms_cert" TLS extension. The crash occurs if an
> invalid or unrecognised signature algorithm is received from the peer.
> This could be exploited by a malicious peer in a Denial of Service
> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by
> this issue. This issue did not affect OpenSSL versions prior to
> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
Thanks for reporting this. According to OpenBMC network security
considerations , SSL (and specifically OpenSSL) is used in two
places: the dropbear SSH server  and the BMCWeb HTTPS server . I
don't see any references to the defective function (SSL_check_chain) in
those code bases or in any other OpenBMC code. I've CC'd the BMCWeb
maintainers to help check this. If that is all true, the OpenBMC is not
I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release
 which does use OpenSSL 1.1.1g .
> It is fixed in 1.1.1g. Upstream recipe already point openssl to
> latest version (1.1.1g).
> Will you update poky subtree to latest?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openbmc