[Bug 1329297] Re: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST

Launchpad Bug Tracker 1329297 at bugs.launchpad.net
Thu Jun 12 18:47:18 UTC 2014 

This bug was fixed in the package openssl - 1.0.1f-1ubuntu2.3

---------------
openssl (1.0.1f-1ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297)
    - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
      tls_session_secret_cb for session resumption in ssl/s3_clnt.c.
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Thu, 12 Jun 2014 08:29:16 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1329297

Title:
  openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST

Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Lucid:
  Invalid
Status in “openssl” source package in Precise:
  Fix Released
Status in “openssl” source package in Saucy:
  Fix Released
Status in “openssl” source package in Trusty:
  Fix Released
Status in “openssl” source package in Utopic:
  Fix Released

Bug description:
  The recently introduced openssl update to fix the CVE-2014-0224
  vulnerability missed one code path where ChangeCipherSpec needs to be
  allowed. tls_session_secret_cb configured the key and needs to allow
  CCS message. The current Ubuntu package breaks programs that use that
  API, e.g., wpa_supplicant and EAP-FAST.

  The upstream fix for the issue:

  http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb8d9ddb9dc19d84dffa84932f75e607c8a3ffe6;hp=c43a55407dccc6902058184d7dd0bd111fe6a61e

  Upstream report and discussion related to the issue:

  http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1h-issue-with-EAP-FAST-
  session-resumption-td50696.html

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: openssl 1.0.1f-1ubuntu2.2
  ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
  Uname: Linux 3.13.0-29-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Thu Jun 12 14:54:57 2014
  InstallationDate: Installed on 2014-04-17 (55 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions

More information about the foundations-bugs mailing list