Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1594986 - Insecure GNUTLS settings
Summary: Insecure GNUTLS settings
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: iksemel
Version: epel7
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jeffrey C. Ollie
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/meduketto/iksemel/...
Whiteboard:
: 1600897 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-25 23:11 UTC by Gary T. Giesen
Modified: 2018-07-13 18:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-09 14:51:04 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 803204 None None None 2018-06-25 23:11:07 UTC

Description Gary T. Giesen 2018-06-25 23:11:08 UTC
Description of problem:
    
Hardcoded and very low grade ciphers enabled in libiksemel:

       const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
       const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
       const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, 
GNUTLS_CIPHER_ARCFOUR, 0};
       const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 
0 };
       const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };

    SSL3, 3DES, RC4, SSL compression… With this setting not only low grade
    ciphers are available, but higher grades are disabled. So this is a
    major security issue, also affecting stable.

Version-Release number of selected component (if applicable):
1.4-6

How reproducible:
Always

Additional info:

See issue in upstream github: https://github.com/meduketto/iksemel/issues/48

Comment 1 Gary T. Giesen 2018-06-25 23:29:15 UTC
Perhaps consider pulling from https://github.com/timothytylee/iksemel-1.4 , upstream seems to be unmaintained.

Comment 2 Jeffrey C. Ollie 2018-07-09 14:51:04 UTC
The github branch you link to isn't any better, iksemel is effectively abandoned. I do not have the time/desire to take on maintenance and as far as I can see no one else does either.

Comment 3 Jason Tibbitts 2018-07-09 14:59:24 UTC
In case it's not obvious, iksemel has been retired on both the rawhide and epel7 branches and should disappear from EPEL7 soon.  This will leave zabbix{20,22}-server-{mysql,pgsql} with broken dependencies.

It's still available in EPEL6, though; perhaps it should be retired there as well.  This will of course leave more broken dependencies in the various zabbix releases.

Comment 4 Jeffrey C. Ollie 2018-07-09 15:12:06 UTC
Yes, I was the one that just retired those branches. I just did EL6 as well.  I emailed the zabbix and asterisk owners as well as the development list and no one seemed to care. From what I know of the Zabbix and Asterisk packaging it should be fairly easy to rebuild both packages without iksemel.

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/I5442Q55W7YE6ZFFDBZIUBE7KM2ZNTM3/

Comment 5 Kevin Fenzi 2018-07-13 18:16:55 UTC
*** Bug 1600897 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.