[Pkg-openssl-changes] r408 - in openssl/branches/lenny: debian ssl
Kurt Roeckx
kroeckx at alioth.debian.org
Mon Jun 8 17:45:23 UTC 2009
Author: kroeckx
Date: 2009-06-08 17:45:22 +0000 (Mon, 08 Jun 2009)
New Revision: 408
Modified:
openssl/branches/lenny/debian/changelog
openssl/branches/lenny/ssl/s3_pkt.c
openssl/branches/lenny/ssl/ssl.h
openssl/branches/lenny/ssl/ssl_err.c
Log:
Fix CVE-2009-1386
Modified: openssl/branches/lenny/debian/changelog
===================================================================
--- openssl/branches/lenny/debian/changelog 2009-06-08 17:43:54 UTC (rev 407)
+++ openssl/branches/lenny/debian/changelog 2009-06-08 17:45:22 UTC (rev 408)
@@ -1,3 +1,10 @@
+openssl (0.9.8g-15+lenny3) stable-security; urgency=low
+
+ * Fix DoS via a DTLS ChangeCipherSpec packet that occurs before ClientHello
+ (CVE-2009-1386)
+
+ -- Kurt Roeckx <kurt at roeckx.be> Mon, 08 Jun 2009 19:40:22 +0200
+
openssl (0.9.8g-15+lenny2) stable-security; urgency=low
* Fix "DTLS record buffer limitation bug." (CVE-2009-1377)
Modified: openssl/branches/lenny/ssl/s3_pkt.c
===================================================================
--- openssl/branches/lenny/ssl/s3_pkt.c 2009-06-08 17:43:54 UTC (rev 407)
+++ openssl/branches/lenny/ssl/s3_pkt.c 2009-06-08 17:45:22 UTC (rev 408)
@@ -1225,6 +1225,13 @@
if (s->s3->tmp.key_block == NULL)
{
+ if (s->session == NULL)
+ {
+ /* might happen if dtls1_read_bytes() calls this */
+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+ return (0);
+ }
+
s->session->cipher=s->s3->tmp.new_cipher;
if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
}
Modified: openssl/branches/lenny/ssl/ssl.h
===================================================================
--- openssl/branches/lenny/ssl/ssl.h 2009-06-08 17:43:54 UTC (rev 407)
+++ openssl/branches/lenny/ssl/ssl.h 2009-06-08 17:45:22 UTC (rev 408)
@@ -1666,6 +1666,7 @@
#define SSL_F_SSL3_CONNECT 132
#define SSL_F_SSL3_CTRL 213
#define SSL_F_SSL3_CTX_CTRL 133
+#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
#define SSL_F_SSL3_ENC 134
#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
Modified: openssl/branches/lenny/ssl/ssl_err.c
===================================================================
--- openssl/branches/lenny/ssl/ssl_err.c 2009-06-08 17:43:54 UTC (rev 407)
+++ openssl/branches/lenny/ssl/ssl_err.c 2009-06-08 17:45:22 UTC (rev 408)
@@ -138,6 +138,7 @@
{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
More information about the Pkg-openssl-changes
mailing list