Last modified: 2011-04-06 17:17:36 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T26332, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 24332 - OpenSSL on secure.wikimedia.org is possibly vulnerable to CVE-2009-3555


Summary:	OpenSSL on secure.wikimedia.org is possibly vulnerable to CVE-2009-3555

Status:	RESOLVED FIXED

Product:	Wikimedia
Classification:	Unclassified
Component:	Site requests (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	Rob Halsell

URL:
Whiteboard:
Keywords:	shell

Depends on:
Blocks:	ssl
	Show dependency tree / graph

Reported:	2010-07-10 15:54 UTC by Bo Adler
Modified:	2011-04-06 17:17 UTC (History)
CC List:	4 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bo Adler 2010-07-10 15:54:29 UTC

While using Firefox 3.6.6 to access https://secure.wikimedia.org and https://bugzilla.wikimedia.org, I received the following message: "bugzilla.wikimedia.org : potentially vulnerable to CVE-2009-3555"

Someone suggested that I report this in case it's a real issue that could compromise users trying to use a secure service.

Comment 1 Sam Reed (reedy) 2010-07-10 16:00:43 UTC

My 3.6.6 doesn't tell me it for bugzilla...

Comment 2 Bo Adler 2010-07-10 16:04:53 UTC

I should clarify that I received a similar message for secure.wikimedia.org, not the same message.  I am using FF under OSX Leopard, so perhaps that makes a difference?

Comment 3 Sam Reed (reedy) 2010-07-10 16:06:10 UTC

Possibly, I'm on Windows.

Where is the error appearing? When you first try and visit the site?

Comment 4 Max Semenik 2010-07-10 16:09:24 UTC

For the reference:

* CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=﷒0﷓
* Apache announcement: http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2

Comment 5 Bo Adler 2010-07-10 18:54:59 UTC

(In reply to comment #3)
> Where is the error appearing? When you first try and visit the site?

Yes.  I bring up the error log and clear all messages.  Then I enter "https://secure.wikimedia.org" into the url bar.  It appears to me as if the message is generated during the SSL handshake phase, which makes sense if FF is reporting the error based on version number or some such.

Comment 6 Rob Halsell 2010-07-20 17:17:15 UTC

The error log on your local system?  Which error log specifically?  (I can recreate the OS and browser settings, just let me know where the log is.)

Comment 7 Bo Adler 2010-07-20 17:22:28 UTC

(In reply to comment #6)
> The error log on your local system?  Which error log specifically?  (I can
> recreate the OS and browser settings, just let me know where the log is.)

I misspoke.  It's in the Error Console for Firefox.  You usually reach it via cmd-shift-J, or ctrl-shift-J.

Comment 8 Roan Kattouw 2010-07-20 18:10:40 UTC

(In reply to comment #4)
> For the reference:
> 
> * CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=﷒0﷓
> * Apache announcement:
> http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2

"The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, ...."

We seem to be running Apache 2.2.8, maybe we should upgrade?

Comment 9 Platonides 2010-07-20 18:17:51 UTC

I commented this on #wikimedia-tech in case the fix hadn't been backported by Ubuntu.
domas considered that the fix was to change the Server header to hide the version.

Comment 10 Matt McCutchen 2011-03-10 02:13:56 UTC

Firefox prints the warning if the server does not use renegotiation indication (https://tools.ietf.org/html/rfc5746), a TLS protocol feature.  See https://bugzilla.mozilla.org/show_bug.cgi?id=535649 .

I tested with gnutls-cli and both secure.wikimedia.org and bugzilla.wikimedia.org seem to be using renegotiation indication now, so unless someone else sees differently I think this bug can be closed.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links