[Bug 1329297] Re: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST

Marc Deslauriers marc.deslauriers at canonical.com
Thu Jun 12 12:22:37 UTC 2014 

1.0.1 commit:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d4d2e02eb55f3a03e2a8e39b723b2a2ba436584

0.9.8 is not affected.

** Changed in: openssl (Ubuntu Lucid)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1329297

Title:
  openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST

Status in “openssl” package in Ubuntu:
  Confirmed
Status in “openssl” source package in Lucid:
  Invalid
Status in “openssl” source package in Precise:
  Confirmed
Status in “openssl” source package in Saucy:
  Confirmed
Status in “openssl” source package in Trusty:
  Confirmed
Status in “openssl” source package in Utopic:
  Confirmed

Bug description:
  The recently introduced openssl update to fix the CVE-2014-0224
  vulnerability missed one code path where ChangeCipherSpec needs to be
  allowed. tls_session_secret_cb configured the key and needs to allow
  CCS message. The current Ubuntu package breaks programs that use that
  API, e.g., wpa_supplicant and EAP-FAST.

  The upstream fix for the issue:

  http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb8d9ddb9dc19d84dffa84932f75e607c8a3ffe6;hp=c43a55407dccc6902058184d7dd0bd111fe6a61e

  Upstream report and discussion related to the issue:

  http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1h-issue-with-EAP-FAST-
  session-resumption-td50696.html

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: openssl 1.0.1f-1ubuntu2.2
  ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
  Uname: Linux 3.13.0-29-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Thu Jun 12 14:54:57 2014
  InstallationDate: Installed on 2014-04-17 (55 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions

More information about the foundations-bugs mailing list