API tools faq
paste
Advertisement
drpanwe

Untitled

drpanwe
Aug 23rd, 2018
307
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.92 KB | None | 0 0
raw download clone embed print report
  1. ----------------------- testreport log -------------------------------
  2.  
  3. SUMMARY:FAILED
  4.  
  5. comment: Regression has been found, since the new option CipherSuite produces an error and prevents the establishment of TLS1 connection with the remote host using ftp protocol. The other two bug-reports were fixed in the previous version.
  6.  
  7. $Author: pgeorgiadis $
  8.  
  9. Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64), SLES4VMWARE 11-SP3 (i386, x86_64), SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64), SLE-DESKTOP 11-SP3 (i386, x86_64)
  10. Category: security
  11. SAT Patch No: 9944
  12. MD5 sum: ac2aba5516857ac48ef10e9ae01e12a2
  13. SUBSWAMPID: 59609
  14. Packager: tchvatal@suse.com
  15. Bugs: 902229, 828469, 856424
  16. Repository: http://hilbert.nue.suse.com/abuildstat/patchinfo/ac2aba5516857ac48ef10e9ae01e12a2/
  17. Packages: pure-ftpd >= 1.0.22-3.23.1
  18. SRCRPMs: pure-ftpd
  19. Test Plan Reviewers: Johannes Segitz <jsegitz@suse.com>
  20. Testplatform: base=sles(major=11,minor=sp3);arch=[i386,s390x,x86_64]
  21. Testplatform: base=sled(major=11,minor=sp3);arch=[i386,x86_64]
  22.  
  23. #############################
  24. Test results by product-arch:
  25. #############################
  26.  
  27. sled11sp3-i386 (reference host: bashir.qam.suse.de)
  28. --------------
  29. before:
  30. pure-ftpd-1.0.22-3.21.1
  31. after:
  32. pure-ftpd-1.0.22-3.23.1
  33. scripts:
  34. all_updated : SUCCEEDED
  35. dependencies : SUCCEEDED
  36. from_same_srcrpm : SUCCEEDED
  37. initrd_state : SUCCEEDED
  38. multiple-owners : SUCCEEDED
  39. new_dependencies : SUCCEEDED
  40. new_licenses : SUCCEEDED
  41. vendor_and_disturl : SUCCEEDED
  42.  
  43. => PASSED
  44.  
  45. comment: (none)
  46.  
  47. sled11sp3-x86_64 (reference host: jadzia.qam.suse.de)
  48. ----------------
  49. before:
  50. pure-ftpd-1.0.22-3.21.1
  51. after:
  52. pure-ftpd-1.0.22-3.23.1
  53. scripts:
  54. all_updated : SUCCEEDED
  55. dependencies : SUCCEEDED
  56. from_same_srcrpm : SUCCEEDED
  57. initrd_state : SUCCEEDED
  58. multiple-owners : SUCCEEDED
  59. new_dependencies : SUCCEEDED
  60. new_licenses : SUCCEEDED
  61. vendor_and_disturl : SUCCEEDED
  62.  
  63. => PASSED
  64.  
  65. comment: (none)
  66.  
  67. sles11sp3-i386 (reference host: dukat.qam.suse.de)
  68. --------------
  69. before:
  70. pure-ftpd-1.0.22-3.21.1
  71. after:
  72. pure-ftpd-1.0.22-3.23.1
  73. scripts:
  74. all_updated : SUCCEEDED
  75. dependencies : SUCCEEDED
  76. from_same_srcrpm : SUCCEEDED
  77. initrd_state : SUCCEEDED
  78. multiple-owners : SUCCEEDED
  79. new_dependencies : SUCCEEDED
  80. new_licenses : SUCCEEDED
  81. vendor_and_disturl : SUCCEEDED
  82.  
  83. => PASSED
  84.  
  85. comment: (none)
  86.  
  87. sles11sp3-s390x (reference host: s390vsw068.suse.de)
  88. ---------------
  89. before:
  90. pure-ftpd-1.0.22-3.21.1
  91. after:
  92. pure-ftpd-1.0.22-3.23.1
  93. scripts:
  94. all_updated : SUCCEEDED
  95. dependencies : SUCCEEDED
  96. from_same_srcrpm : SUCCEEDED
  97. initrd_state : SUCCEEDED
  98. multiple-owners : SUCCEEDED
  99. new_dependencies : SUCCEEDED
  100. new_licenses : SUCCEEDED
  101. vendor_and_disturl : SUCCEEDED
  102.  
  103. => PASSED
  104.  
  105. comment: (none)
  106.  
  107. sles11sp3-x86_64 (reference host: sisko.qam.suse.de)
  108. ----------------
  109. before:
  110. pure-ftpd-1.0.22-3.21.1
  111. after:
  112. pure-ftpd-1.0.22-3.23.1
  113. scripts:
  114. all_updated : SUCCEEDED
  115. dependencies : SUCCEEDED
  116. from_same_srcrpm : SUCCEEDED
  117. initrd_state : SUCCEEDED
  118. multiple-owners : SUCCEEDED
  119. new_dependencies : SUCCEEDED
  120. new_licenses : SUCCEEDED
  121. vendor_and_disturl : SUCCEEDED
  122.  
  123. => PASSED
  124.  
  125. comment: (none)
  126.  
  127.  
  128. ########################
  129. notes for/by the tester:
  130. ########################
  131.  
  132. Bug #902229 ("VUL-0: CVE-2014-3566: pure-ftpd: FTP sus..."):
  133. ------------------------------------------------------------
  134.  
  135. https://bugzilla.suse.com/show_bug.cgi?id=902229
  136.  
  137. REPRODUCER_PRESENT: YES
  138. REPRODUCER_COVERAGE: YES
  139. REPRODUCER_APPLICABLE: YES
  140. REPRODUCER_WORKING: YES
  141. REPRODUCER_AUTOMATABLE: YES
  142.  
  143. ...
  144.  
  145. setup - configuration you need:
  146.  
  147. # Make sure you are using the vulnerable version of pure-ftpd (pure-ftp : 1.0.22-3.21.1)
  148. zypper se -s pure-ftpd
  149.  
  150. S | Name | Type | Version | Arch | Repository
  151. --+-------------------+------------+---------------+--------+-----------------------
  152. i | pure-ftpd | package | 1.0.22-3.21.1 | x86_64 | SLE11SP3-SERVER-UPDATE <-- version check confirmed
  153. v | pure-ftpd | package | 1.0.22-3.19.1 | x86_64 | SLE11SP3-SERVER
  154. | pure-ftpd | srcpackage | 1.0.22-3.21.1 | noarch | SLE11SP3-SERVER-UPDATE
  155. | slessp3-pure-ftpd | patch | 9849 | noarch | SLE11SP3-SERVER-UPDATE
  156.  
  157. # Create the OpenSSL cert
  158. mkdir -p /etc/ssl/private/
  159. openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
  160. chmod 600 /etc/ssl/private/pure-ftpd.pem
  161.  
  162. # Stop and restart (loading the configuration) the pure-ftpd daemon
  163. service pure-ftpd stop
  164. /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf # starts the service using the configuration from the /etc/pure-ftpd/pure-ftpd.conf
  165.  
  166. # Configure syslog-ng to exlude FTP logs into a separate file
  167. vim /etc/syslog-ng/syslog-ng.conf
  168.  
  169. # and add
  170. destination d_ftp { file("/var/log/pure-ftpd.log"); };
  171. filter f_ftp {
  172. facility(ftp);
  173. };
  174. log { source(src); filter(f_ftp); destination(d_ftp); };
  175.  
  176. # restart the syslog-ng
  177. killall -HUP syslogd
  178.  
  179. # Monitor the /var/log/pure-ftpd.log
  180. tail -f /var/log/pure-ftpd.log
  181.  
  182. # Test commands
  183. for SSL3:openssl s_client -starttls ftp -ssl3 -connect sisko.qam.suse.de:21
  184. for SSL2:openssl s_client -starttls ftp -ssl2 -connect sisko.qam.suse.de:21
  185. for TLS1:openssl s_client -starttls ftp -tls1 -connect sisko.qam.suse.de:21
  186.  
  187. # Start testing
  188. -> Please check the following table (overview)
  189.  
  190. State Config | SSL3 | SSL2 | TLS1 || Command-Line
  191. ==========================================================================================================================================================================================
  192. before Default | -- | - | -- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z
  193. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  194. before TLS 1 Verbose | works | works | works ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1
  195. ==========================================================================================================================================================================================
  196. after Default | -- | - | -- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z
  197. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  198. after TLS 1 Verbose | works | works | works ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 ||
  199. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  200. after TLS 1 Verbose | --- | --- | --- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3
  201. CipherSuite [*] | | | ||
  202. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  203. ^
  204. |
  205. |
  206. / \
  207. Regression found (last line saying: after, TLS1, Verbose CipherSuite)
  208. Explanation:
  209.  
  210. 'before' means:
  211. The vulnerable version pure-ftpd-1.0.22-3.21.1
  212.  
  213. 'after' means:
  214. The new patched version pure-ftpd-1.0.22-3.23.1
  215.  
  216. 'default' means:
  217. No changes in the /etc/pure-ftpd/pure-ftpd.conf
  218.  
  219. 'TLS 1 Verbose' means:
  220. # configure pure-ftpd to accept TLS Authetication.
  221. --> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: '# TLS 1' ==> 'TLS 1'
  222.  
  223. # configure pure-ftpd to log itself as ftp in syslog-ng
  224. --> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: 'VerboseLog no' ==> 'VerboseLog yes'
  225.  
  226. 'CipherSuite' means:
  227. # configure pure-ftpd to use the new CipherSuite option that fixes the problem
  228. --> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: '#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' ==> 'TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3'
  229.  
  230. '-' means:
  231. CONNECTED(00000003)
  232. (I have to press CTRL+C - (it hangs there))
  233.  
  234. '--' means:
  235. CONNECTED(00000003)
  236. 56309:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:281:
  237.  
  238. '---' means:
  239. socket: Connection refused
  240. connect:errno=111
  241.  
  242. '[*]' means:
  243. Nov 18 14:57:29 s390vsw068 pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3'
  244. -> it seems that this new option is not valid
  245.  
  246. 'works' means:
  247. Nov 18 14:55:45 s390vsw068 pure-ftpd: (?@10.161.157.68) [DEBUG] Command [auth] [TLS]
  248. Nov 18 14:55:45 s390vsw068 pure-ftpd: (?@10.161.157.68) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher
  249. (I am pressing CTRL+C)
  250. Nov 18 14:55:47 s390vsw068 pure-ftpd: (?@10.161.157.68) [INFO] Logout.
  251.  
  252. Comments:
  253. [1] after applying the update the new options 'TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' is not used by default. It's commented
  254. [2] if enabled, then TLS1 fails (which is not the case) along with SSL3 and SSL2
  255. [3] if enabled, and if you monitor the syslog-ng, you will catch an error: pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3'
  256.  
  257. According to the bug-report, it should be:
  258.  
  259. BEFORE | AFTER
  260. -------------------------
  261. SSL3: YES | NO
  262. SSL2: YES | NO
  263. TLS1: YES | YES
  264.  
  265. but, what I've get is:
  266.  
  267. BEFORE | AFTER
  268. -------------------------
  269. SSL3: YES | NO
  270. SSL2: YES | NO
  271. TLS1: YES | NO <- TLS1 is no working but it was supposed to
  272.  
  273. After some searching I found out that in the online documentation that is on github they have added a new README (https://github.com/jedisct1/pure-ftpd/blob/master/README) with
  274. the description "Disabling SSLv3 was already supported" and they say that:
  275.  
  276. - '-J <ciphers>': Sets the list of ciphers that will be accepted for
  277. SSL/TLS connections.
  278. For example: -J -S:HIGH:MEDIUM
  279. Prefixing the list with -S: totally disables SSLv3, which is highly
  280. recommended if you don't have to support old clients.
  281. SSLv2 is always disabled.
  282.  
  283. The part of using '-S' flag is missing from our documentation (manpage). Also, the code for this command doesn't seem to be backported.
  284. I did a diff between the github's ftpd.c and our package ftpd.c and searched for the "case 'J'" which is used for the CipherSuite
  285.  
  286. wget http://qam.suse.de/testreports/ac2aba5516857ac48ef10e9ae01e12a2/diff
  287. panos@g82:~> cat diff | grep -A 10 -- "case 'J'"
  288. +case 'J': {
  289. +if (strncmp(optarg, "-S:", sizeof "-S:" - (size_t) 1U) == 0) {
  290. +optarg += sizeof "-S:" - (size_t) 1U;
  291. +ssl_disabled = 1;
  292. +}
  293. +if ((tlsciphersuite = strdup(optarg)) == NULL) {
  294. +die_mem();
  295. +}
  296. +break;
  297. +}
  298. +#endif
  299.  
  300. as you can see the implementation of '-S' that prevents SSLv3 is missing from our source code.
  301.  
  302. In addition, the only option that doesn't produce an error in the configuration file is
  303. --> TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
  304.  
  305. Testing this one, SSLv2 is blocked while SSLv3 and TLS1 are allowed.
  306. Mind also that TLSv1 ciphers are flagged as SLLv3 (I don't know if this is relevant)
  307.  
  308. openssl ciphers -v 'TLSv1' | sort
  309.  
  310. ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
  311. ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
  312. ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
  313. ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
  314. ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
  315. ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
  316. ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
  317. AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
  318. AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
  319. CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
  320. CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
  321. DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
  322. DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
  323. DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
  324. DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
  325. DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
  326. DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
  327. DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
  328. DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
  329. DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
  330. DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
  331. EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
  332. EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
  333. EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
  334. <span style="color:rgb(0,0,0);font-family:'Lucida Console',Courier,'Courier New';font-size:12px;background-color:r
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!