[Bug 1329297] Re: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST

Jouni Malinen j at w1.fi
Tue Jun 17 12:36:59 UTC 2014 

I agree with this not being an independent security issue. There is a
(mostly theoretical) potential security impact based on how applications
or users react to the case where session ticket unexpectedly cannot be
used. That could, at least in theory, result in trying the
authentication handshake again with reduced security (e.g., EAP-FAST
anonymous provisioning) even when there would be a valid session ticket
still available. I don't think this would really result in practical
security issues, i.e., the impact is in previously working functionality
not working anymore and connections not being established. That said, it
is useful to get this regression addressed in a way that makes it more
likely for devices to get the update since the regression was caused by
a high priority security fix that was likely applied to most devices
immediately.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1329297

Title:
  openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST

Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Lucid:
  Invalid
Status in “openssl” source package in Precise:
  Fix Released
Status in “openssl” source package in Saucy:
  Fix Released
Status in “openssl” source package in Trusty:
  Fix Released
Status in “openssl” source package in Utopic:
  Fix Released

Bug description:
  The recently introduced openssl update to fix the CVE-2014-0224
  vulnerability missed one code path where ChangeCipherSpec needs to be
  allowed. tls_session_secret_cb configured the key and needs to allow
  CCS message. The current Ubuntu package breaks programs that use that
  API, e.g., wpa_supplicant and EAP-FAST.

  The upstream fix for the issue:

  http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb8d9ddb9dc19d84dffa84932f75e607c8a3ffe6;hp=c43a55407dccc6902058184d7dd0bd111fe6a61e

  Upstream report and discussion related to the issue:

  http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1h-issue-with-EAP-FAST-
  session-resumption-td50696.html

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: openssl 1.0.1f-1ubuntu2.2
  ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
  Uname: Linux 3.13.0-29-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Thu Jun 12 14:54:57 2014
  InstallationDate: Installed on 2014-04-17 (55 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions

More information about the foundations-bugs mailing list