Hello Timmothy,
thanks for your hard work and sending us the patches. I've noticed you already have read through the "Submiting Patches" guide on the wiki (http://wiki.ipfire.org/devel/submit-patches).
In order for an easy apply of your modifications please re-send them to the list with the patchfile attached to the mail.
Thanks in advance,
-Stefan
Changes: [1] Forbid the use of weak DH cipher suites in Apache. [2] Tell Apache to use a custom bunch of prime numbers. [3] Updated "httpscert" in order to generate those prime numbers.
Those changes are supposed to fix a vulnerability called "logjam" in Apache. "Logjam" is a recently discovered vulnerability in the Diffie-Hellman-Key-Exchange. Affected are TLS/SSL connectiones, VPNs and other services which are relying on DH as well.
References: [Bug #10856]: https://bugzilla.ipfire.org/show_bug.cgi?id=10856 [Further Information]: https://weakdh.org/ [Further Information (german)]: http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung-von -zehntausenden-Servern-gefaehrdet-2657502.html
Please find the patch here: http://nopaste.ipfire.org/view/r8QWUyQF
However, the patch can't applied to IPFire systems without creating unique prime numbers, since the configuration file of Apache expects the presence of a file called "/etc/httpd/dhparams.pem", if this one does not exist, Apache will likely crash. Please make sure to generate prime numbers by Pakfire during a upgrade:
/usr/bin/openssl dhparam -out /etc/httpd/dhparams.pem 2048;
I'm estimating that other software components of IPFire are still vulnerable to Lojgam (IPSec?). As soon as I have more information about this, I will roll out new patches.
Best regards, Timmothy Wilson _______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development