[Pkg-openssl-changes] r678 - in openssl/branches/wheezy/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Sun Jun 15 10:38:14 UTC 2014 

Author: kroeckx
Date: 2014-06-15 10:38:14 +0000 (Sun, 15 Jun 2014)
New Revision: 678

Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch
Log:
Update fix for CVE-2014-0224


Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog	2014-06-15 10:31:08 UTC (rev 677)
+++ openssl/branches/wheezy/debian/changelog	2014-06-15 10:38:14 UTC (rev 678)
@@ -1,3 +1,10 @@
+openssl (1.0.1e-2+deb7u11) wheezy-security; urgency=medium
+
+  * Update fix for CVE-2014-0224 to work with more renegiotation
+    and resumption cases. (Closes: #751093)
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Sun, 15 Jun 2014 12:31:21 +0200
+
 openssl (1.0.1e-2+deb7u10) wheezy-security; urgency=medium
 
   * Fix CVE-2014-0224

Modified: openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch	2014-06-15 10:31:08 UTC (rev 677)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch	2014-06-15 10:38:14 UTC (rev 678)
@@ -11,9 +11,9 @@
 
 Index: openssl-1.0.1e/ssl/s3_pkt.c
 ===================================================================
---- openssl-1.0.1e.orig/ssl/s3_pkt.c	2014-06-04 18:34:30.230607561 +0000
-+++ openssl-1.0.1e/ssl/s3_pkt.c	2014-06-04 18:34:30.238607391 +0000
-@@ -1299,6 +1299,15 @@
+--- openssl-1.0.1e.orig/ssl/s3_pkt.c
++++ openssl-1.0.1e/ssl/s3_pkt.c
+@@ -1299,6 +1299,15 @@ start:
  			goto f_err;
  			}
  
@@ -29,7 +29,7 @@
  		rr->length=0;
  
  		if (s->msg_callback)
-@@ -1433,7 +1442,7 @@
+@@ -1433,7 +1442,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
  
  	if (s->s3->tmp.key_block == NULL)
  		{
@@ -40,9 +40,17 @@
  			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
 Index: openssl-1.0.1e/ssl/s3_clnt.c
 ===================================================================
---- openssl-1.0.1e.orig/ssl/s3_clnt.c	2014-06-04 18:33:56.507319937 +0000
-+++ openssl-1.0.1e/ssl/s3_clnt.c	2014-06-04 18:34:42.838341212 +0000
-@@ -559,6 +559,7 @@
+--- openssl-1.0.1e.orig/ssl/s3_clnt.c
++++ openssl-1.0.1e/ssl/s3_clnt.c
+@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s)
+ 				s->method->ssl3_enc->client_finished_label,
+ 				s->method->ssl3_enc->client_finished_label_len);
+ 			if (ret <= 0) goto end;
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			s->state=SSL3_ST_CW_FLUSH;
+ 
+ 			/* clear flags */
+@@ -559,6 +560,7 @@ int ssl3_connect(SSL *s)
  		case SSL3_ST_CR_FINISHED_A:
  		case SSL3_ST_CR_FINISHED_B:
  
@@ -50,7 +58,15 @@
  			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
  				SSL3_ST_CR_FINISHED_B);
  			if (ret <= 0) goto end;
-@@ -916,6 +917,7 @@
+@@ -901,6 +903,7 @@ int ssl3_get_server_hello(SSL *s)
+ 			{
+ 			s->session->cipher = pref_cipher ?
+ 				pref_cipher : ssl_get_cipher_by_char(s, p+j);
++	    		s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			}
+ 		}
+ #endif /* OPENSSL_NO_TLSEXT */
+@@ -916,6 +919,7 @@ int ssl3_get_server_hello(SSL *s)
  		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
  		goto f_err;
  		}
@@ -60,9 +76,9 @@
  	else	/* a miss or crap from the other end */
 Index: openssl-1.0.1e/ssl/s3_srvr.c
 ===================================================================
---- openssl-1.0.1e.orig/ssl/s3_srvr.c	2014-06-04 18:34:30.094610434 +0000
-+++ openssl-1.0.1e/ssl/s3_srvr.c	2014-06-04 18:34:30.262606885 +0000
-@@ -673,6 +673,7 @@
+--- openssl-1.0.1e.orig/ssl/s3_srvr.c
++++ openssl-1.0.1e/ssl/s3_srvr.c
+@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
  		case SSL3_ST_SR_CERT_VRFY_A:
  		case SSL3_ST_SR_CERT_VRFY_B:
  
@@ -70,7 +86,7 @@
  			/* we should decide if we expected this one */
  			ret=ssl3_get_cert_verify(s);
  			if (ret <= 0) goto end;
-@@ -700,6 +701,7 @@
+@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
  
  		case SSL3_ST_SR_FINISHED_A:
  		case SSL3_ST_SR_FINISHED_B:
@@ -78,7 +94,7 @@
  			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
  				SSL3_ST_SR_FINISHED_B);
  			if (ret <= 0) goto end;
-@@ -770,7 +772,10 @@
+@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
  				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
  #else
  				if (s->s3->next_proto_neg_seen)
@@ -91,9 +107,9 @@
  #endif
 Index: openssl-1.0.1e/ssl/ssl3.h
 ===================================================================
---- openssl-1.0.1e.orig/ssl/ssl3.h	2014-06-04 18:34:30.186608490 +0000
-+++ openssl-1.0.1e/ssl/ssl3.h	2014-06-04 18:34:30.290606294 +0000
-@@ -388,6 +388,7 @@
+--- openssl-1.0.1e.orig/ssl/ssl3.h
++++ openssl-1.0.1e/ssl/ssl3.h
+@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
  #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
  #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
  #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020

More information about the Pkg-openssl-changes mailing list