CVE-2014-0160 fix needed about mod-spdy HOT 14 CLOSED

Note that just disabling the spdy module in Apache won't work, because the SSL 
library itself is replaced. Easiest fix on Debian is to remove the mod-spdy 
package from the system (for now).

Thanks for the report.

This has now been fixed in trunk and in the latest branch/tag, but we are 
working to update the binary releases ASAP.

If you have built mod_spdy from source, you should immediately rebuild from 
trunk or from tag 0.9.4.2 ***including re-running build_modssl_with_npn.sh to 
rebuild mod_ssl***.  If you have installed mod_spdy from one of the binary 
packages, you should uninstall the package (as mark@ notes above, don't just 
disable mod_spdy) until new binaries are available.

I will update this bug when the new binaries are up, hopefully in the next 24 
hours.

I can confirm that my web server remained vulnerable to CVE-2014-0160 after 
updating openssl, and removing mod-spdy fixed it.

New binaries for 0.9.4.2 (which fixes this vulnerability) have been rolled out, 
and are available here: https://developers.google.com/speed/spdy/mod_spdy/

If you've installed one of our previous binary releases (and did not disable 
auto-update), you should be able to easily upgrade using your package manager 
(apt or yum).

I'll be making an announcement to the mod-spdy-discuss list shortly.

Email announcement: 
https://groups.google.com/forum/#!topic/mod-spdy-discuss/EwCowyS1KTU

Issue 86 has been merged into this issue.

I can confirm that the new binary packages are solving the issue: my server is 
not vulnerable to CVE-2014-0160 after installed and enabled the new mod_spdy 
package.

Thanks, the response time was awesome.

Yes, this was fixed. But now the new mod-spdy-beta produces other insecurities: 
After installing it, I checked my server with 
https://www.ssllabs.com/ssltest/analyze.html and get: "This server supports 
anonymous (insecure) suites (see below for details). Grade set to F."

Deinstalling mod-spdy-beta had fixed that. Please, can you fix this? Thanks.

Hi Andreas,

Most probably you've got a different issue. My installation got a grade A with 
the latest mod_spdy enabled.

TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE     112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE      128


And: With this version, TLS 1.2 and 1.1 are not supported, only TLS 1.0 - or 
are there any config files I don't know?

@Andreas: I had the same problem after removing and then reinstalling 
mod-spdy-beta on an Ubuntu LTS server. I could fix my grade and bring it to A+ 
again by simply copying the setting recommended of 
https://bettercrypto.org/static/applied-crypto-hardening.pdf for Apache 
(section 2.2.1) into my default config and restarting Apache. I think the 
important part of that was the SSLCipherSuite which has been set to 
SSLCipherSuite 
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EEC
DH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD
5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AE
S128-SHA'

@Adreas:
I updated my SSLCipherSuite to be
SSLCipherSuite  HIGH:MEDIUM:!ADH:!MD5:!ECDH
This blocks the ECDH keys that are failing the test.
I first tried Norberts list and it worked for the test but it broke SPDY.
I went to the site http://spdycheck.org/ to test if SPDY was working, and it 
wasn't.
After I changed it to the one I suggested above, SPDY works, and QUALSYS is 
Happy.
WIN!

TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE     112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE      128

Port 43