[Bug 1370478] [NEW] [CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"

[Thomas Ward]

*** This bug is a security vulnerability ***

Public security bug reported:

A security vulnerability was found in the nginx package.  All versions
in Lucid, Precise, Trusty, and Utopic are affected.

------

This is the email that went out in the nginx security advisories list
regarding this vulnerability:

Hello!

A problem with SSL session cache in nginx was identified by Antoine
Delignat-Lavaud.  It was possible to reuse cached SSL sessions in
unrelated contexts, allowing virtual host confusion attacks in some
configurations by an attacker in a privileged network position
(CVE-2014-3616).

The problem affects nginx 0.5.6 - 1.7.4 if the same shared
ssl_session_cache and/or ssl_session_ticket_key are used for multiple
server{} blocks.

The problem is fixed in nginx 1.7.5, 1.6.2.

Further details can be found in the paper by Antoine Delignat-Lavaud
et al., available at http://bh.ht.vc/vhost_confusion.pdf.

------

This is CVE-2014-3616.

------

This has been fixed upstream in nginx.  This has also been fixed in
Debian.

------

The Debian bug for this is: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=761940

** Affects: nginx (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: nginx (Debian)
     Importance: Unknown
         Status: Unknown

** Description changed:

- A security vulnerability was found in the nginx package.
+ A security vulnerability was found in the nginx package.  All versions
+ in Lucid, Precise, Trusty, and Utopic are affected.
  
  ------
  
  This is the email that went out in the nginx security advisories list
  regarding this vulnerability:
  
  Hello!
  
  A problem with SSL session cache in nginx was identified by Antoine
  Delignat-Lavaud.  It was possible to reuse cached SSL sessions in
  unrelated contexts, allowing virtual host confusion attacks in some
  configurations by an attacker in a privileged network position
  (CVE-2014-3616).
  
  The problem affects nginx 0.5.6 - 1.7.4 if the same shared
  ssl_session_cache and/or ssl_session_ticket_key are used for multiple
  server{} blocks.
  
  The problem is fixed in nginx 1.7.5, 1.6.2.
  
  Further details can be found in the paper by Antoine Delignat-Lavaud
  et al., available at http://bh.ht.vc/vhost_confusion.pdf.
  
  ------
  
  This is CVE-2014-3616.
  
  ------
  
  This has been fixed upstream in nginx.  This has also been fixed in
  Debian.
  
  ------
  
  The Debian bug for this is: https://bugs.debian.org/cgi-
  bin/bugreport.cgi?bug=761940

** Bug watch added: Debian Bug tracker #761940
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761940

** Also affects: nginx (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761940
   Importance: Unknown
       Status: Unknown

** Summary changed:

- [CVE-2014-3616] "reuse cached SSL sessions in unrelated contexts"
+ [CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1370478

Title:
  [CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated
  contexts"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1370478/+subscriptions