Page MenuHomePhabricator

OpenSSL on secure.wikimedia.org is possibly vulnerable to CVE-2009-3555
Closed, ResolvedPublic

Description

Author: thumper

Description:
While using Firefox 3.6.6 to access https://secure.wikimedia.org and https://bugzilla.wikimedia.org, I received the following message: "bugzilla.wikimedia.org : potentially vulnerable to CVE-2009-3555"

Someone suggested that I report this in case it's a real issue that could compromise users trying to use a secure service.


Version: unspecified
Severity: normal

Details

Reference
bz24332

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:05 PM
bzimport set Reference to bz24332.

My 3.6.6 doesn't tell me it for bugzilla...

thumper wrote:

I should clarify that I received a similar message for secure.wikimedia.org, not the same message. I am using FF under OSX Leopard, so perhaps that makes a difference?

Possibly, I'm on Windows.

Where is the error appearing? When you first try and visit the site?

thumper wrote:

(In reply to comment #3)

Where is the error appearing? When you first try and visit the site?

Yes. I bring up the error log and clear all messages. Then I enter "https://secure.wikimedia.org" into the url bar. It appears to me as if the message is generated during the SSL handshake phase, which makes sense if FF is reporting the error based on version number or some such.

The error log on your local system? Which error log specifically? (I can recreate the OS and browser settings, just let me know where the log is.)

thumper wrote:

(In reply to comment #6)

The error log on your local system? Which error log specifically? (I can
recreate the OS and browser settings, just let me know where the log is.)

I misspoke. It's in the Error Console for Firefox. You usually reach it via cmd-shift-J, or ctrl-shift-J.

(In reply to comment #4)

For the reference:

http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2

"The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, ...."

We seem to be running Apache 2.2.8, maybe we should upgrade?

I commented this on #wikimedia-tech in case the fix hadn't been backported by Ubuntu.
domas considered that the fix was to change the Server header to hide the version.

matt wrote:

Firefox prints the warning if the server does not use renegotiation indication (https://tools.ietf.org/html/rfc5746), a TLS protocol feature. See https://bugzilla.mozilla.org/show_bug.cgi?id=535649 .

I tested with gnutls-cli and both secure.wikimedia.org and bugzilla.wikimedia.org seem to be using renegotiation indication now, so unless someone else sees differently I think this bug can be closed.

Restricted Application added subscribers: JEumerus, Matanya. · View Herald Transcript