[Bug 1622500] Re: Backported bugfix for CVE-2014-3571 causes regressions for DTLS in Ubuntu 14.04

Marc Deslauriers marc.deslauriers at canonical.com
Thu Sep 22 14:36:02 UTC 2016 

** Also affects: openssl (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: openssl (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssl (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssl (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1622500

Title:
  Backported bugfix for CVE-2014-3571 causes regressions for DTLS in
  Ubuntu 14.04

Status in openssl package in Ubuntu:
  Invalid
Status in openssl source package in Precise:
  Confirmed
Status in openssl source package in Trusty:
  Confirmed

Bug description:
  In OpenSSL 1.0.1f on Ubuntu 14.04, there's a regression in using DTLS,
  caused by a backported bugfix for CVE-2014-3571.

  This particular bugfix (debian/patches/CVE-2014-3571-1.patch,
  corresponding to
  https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8d7aab986b499f34d9e1bc58fbfd77f05c38116e,
  originally included upstream in OpenSSL 1.0.1k) caused a regression in
  using DTLS - see https://rt.openssl.org/Ticket/Display.html?id=3657.

  This regression was fixed in OpenSSL 1.0.1m via this commit:
  https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1895583

  This left OpenSSL 1.0.1k and 1.0.1l with the regression, plus Ubuntu
  14.04 which backported the first fix but not the later one.

  In Debian, their patches for 1.0.1e contain both fixes:
  https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch/
  https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch/

  Please backport the second fix to the version of 1.0.1f that you
  maintain for 14.04 LTS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1622500/+subscriptions

More information about the foundations-bugs mailing list