[Bug 1329297] Re: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST
Robert E.
resans at live.com
Wed Jun 18 18:14:54 UTC 2014
Thanks for the replies and clarification. That helps!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1329297
Title:
openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST
Status in “openssl” package in Ubuntu:
Fix Released
Status in “openssl” source package in Lucid:
Invalid
Status in “openssl” source package in Precise:
Fix Released
Status in “openssl” source package in Saucy:
Fix Released
Status in “openssl” source package in Trusty:
Fix Released
Status in “openssl” source package in Utopic:
Fix Released
Bug description:
The recently introduced openssl update to fix the CVE-2014-0224
vulnerability missed one code path where ChangeCipherSpec needs to be
allowed. tls_session_secret_cb configured the key and needs to allow
CCS message. The current Ubuntu package breaks programs that use that
API, e.g., wpa_supplicant and EAP-FAST.
The upstream fix for the issue:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb8d9ddb9dc19d84dffa84932f75e607c8a3ffe6;hp=c43a55407dccc6902058184d7dd0bd111fe6a61e
Upstream report and discussion related to the issue:
http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1h-issue-with-EAP-FAST-
session-resumption-td50696.html
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openssl 1.0.1f-1ubuntu2.2
ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
Uname: Linux 3.13.0-29-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Jun 12 14:54:57 2014
InstallationDate: Installed on 2014-04-17 (55 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions
More information about the foundations-bugs
mailing list