[Bug 1329297] Re: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST
Launchpad Bug Tracker
1329297 at bugs.launchpad.net
Thu Jun 12 18:41:24 UTC 2014
This bug was fixed in the package openssl - 1.0.1-4ubuntu5.15
---------------
openssl (1.0.1-4ubuntu5.15) precise-security; urgency=medium
* SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297)
- debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
tls_session_secret_cb for session resumption in ssl/s3_clnt.c.
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Thu, 12 Jun 2014 08:30:56 -0400
** Changed in: openssl (Ubuntu Precise)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1329297
Title:
openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST
Status in “openssl” package in Ubuntu:
Fix Released
Status in “openssl” source package in Lucid:
Invalid
Status in “openssl” source package in Precise:
Fix Released
Status in “openssl” source package in Saucy:
Fix Released
Status in “openssl” source package in Trusty:
Fix Released
Status in “openssl” source package in Utopic:
Fix Released
Bug description:
The recently introduced openssl update to fix the CVE-2014-0224
vulnerability missed one code path where ChangeCipherSpec needs to be
allowed. tls_session_secret_cb configured the key and needs to allow
CCS message. The current Ubuntu package breaks programs that use that
API, e.g., wpa_supplicant and EAP-FAST.
The upstream fix for the issue:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb8d9ddb9dc19d84dffa84932f75e607c8a3ffe6;hp=c43a55407dccc6902058184d7dd0bd111fe6a61e
Upstream report and discussion related to the issue:
http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1h-issue-with-EAP-FAST-
session-resumption-td50696.html
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openssl 1.0.1f-1ubuntu2.2
ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
Uname: Linux 3.13.0-29-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Jun 12 14:54:57 2014
InstallationDate: Installed on 2014-04-17 (55 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions
More information about the foundations-bugs
mailing list