Last modified: 2011-04-06 17:17:36 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T26332, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 24332 - OpenSSL on secure.wikimedia.org is possibly vulnerable to CVE-2009-3555
OpenSSL on secure.wikimedia.org is possibly vulnerable to CVE-2009-3555
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
Site requests (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Rob Halsell
: shell
Depends on:
Blocks: ssl
  Show dependency treegraph
 
Reported: 2010-07-10 15:54 UTC by Bo Adler
Modified: 2011-04-06 17:17 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bo Adler 2010-07-10 15:54:29 UTC 
While using Firefox 3.6.6 to access https://secure.wikimedia.org and https://bugzilla.wikimedia.org, I received the following message: "bugzilla.wikimedia.org : potentially vulnerable to CVE-2009-3555"

Someone suggested that I report this in case it's a real issue that could compromise users trying to use a secure service.
Comment 1 Sam Reed (reedy) 2010-07-10 16:00:43 UTC 
My 3.6.6 doesn't tell me it for bugzilla...
Comment 2 Bo Adler 2010-07-10 16:04:53 UTC 
I should clarify that I received a similar message for secure.wikimedia.org, not the same message.  I am using FF under OSX Leopard, so perhaps that makes a difference?
Comment 3 Sam Reed (reedy) 2010-07-10 16:06:10 UTC 
Possibly, I'm on Windows.

Where is the error appearing? When you first try and visit the site?
Comment 4 Max Semenik 2010-07-10 16:09:24 UTC 
For the reference:

* CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=﷒0﷓
* Apache announcement: http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
Comment 5 Bo Adler 2010-07-10 18:54:59 UTC 
(In reply to comment #3)
> Where is the error appearing? When you first try and visit the site?

Yes.  I bring up the error log and clear all messages.  Then I enter "https://secure.wikimedia.org" into the url bar.  It appears to me as if the message is generated during the SSL handshake phase, which makes sense if FF is reporting the error based on version number or some such.
Comment 6 Rob Halsell 2010-07-20 17:17:15 UTC 
The error log on your local system?  Which error log specifically?  (I can recreate the OS and browser settings, just let me know where the log is.)
Comment 7 Bo Adler 2010-07-20 17:22:28 UTC 
(In reply to comment #6)
> The error log on your local system?  Which error log specifically?  (I can
> recreate the OS and browser settings, just let me know where the log is.)

I misspoke.  It's in the Error Console for Firefox.  You usually reach it via cmd-shift-J, or ctrl-shift-J.
Comment 8 Roan Kattouw 2010-07-20 18:10:40 UTC 
(In reply to comment #4)
> For the reference:
> 
> * CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=﷒0﷓
> * Apache announcement:
> http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2

"The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, ...."

We seem to be running Apache 2.2.8, maybe we should upgrade?
Comment 9 Platonides 2010-07-20 18:17:51 UTC 
I commented this on #wikimedia-tech in case the fix hadn't been backported by Ubuntu.
domas considered that the fix was to change the Server header to hide the version.
Comment 10 Matt McCutchen 2011-03-10 02:13:56 UTC 
Firefox prints the warning if the server does not use renegotiation indication (https://tools.ietf.org/html/rfc5746), a TLS protocol feature.  See https://bugzilla.mozilla.org/show_bug.cgi?id=535649 .

I tested with gnutls-cli and both secure.wikimedia.org and bugzilla.wikimedia.org seem to be using renegotiation indication now, so unless someone else sees differently I think this bug can be closed.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links