[Pkg-openssl-changes] r643 - in openssl/branches/wheezy/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Mon Jan 6 17:46:16 UTC 2014
Author: kroeckx
Date: 2014-01-06 17:46:16 +0000 (Mon, 06 Jan 2014)
New Revision: 643
Added:
openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch
Modified:
openssl/branches/wheezy/debian/changelog
openssl/branches/wheezy/debian/patches/series
Log:
Fix for TLS record tampering bug CVE-2013-4353
Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog 2014-01-06 17:19:41 UTC (rev 642)
+++ openssl/branches/wheezy/debian/changelog 2014-01-06 17:46:16 UTC (rev 643)
@@ -1,7 +1,9 @@
openssl (1.0.1e-2+deb7u2) stable-security; urgency=medium
- * The patch we applied for CVE-2013-6450 was missing a commit causing
- crashes.
+ * The patch we applied for CVE-2013-6450 was causing segfaults,
+ also apply the previous commit checking for NULL in
+ EVP_MD_CTX_destroy()
+ * Fix for TLS record tampering bug CVE-2013-4353
-- Kurt Roeckx <kurt at roeckx.be> Mon, 06 Jan 2014 18:17:13 +0100
Added: openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch 2014-01-06 17:46:16 UTC (rev 643)
@@ -0,0 +1,25 @@
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Mon, 6 Jan 2014 14:35:04 +0000
+Subject: [PATCH] Fix for TLS record tampering bug CVE-2013-4353
+Origin: upstream, commit:197e0ea817ad64820789d86711d55ff50d71f631
+
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index 1e5dcab..53b9390 100644
+--- a/ssl/s3_both.c
++++ b/ssl/s3_both.c
+@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
+ {
+ const char *sender;
+ int slen;
+-
++ /* If no new cipher setup return immediately: other functions will
++ * set the appropriate error.
++ */
++ if (s->s3->tmp.new_cipher == NULL)
++ return;
+ if (s->state & SSL_ST_CONNECT)
+ {
+ sender=s->method->ssl3_enc->server_finished_label;
+--
+1.8.5.2
+
Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series 2014-01-06 17:19:41 UTC (rev 642)
+++ openssl/branches/wheezy/debian/patches/series 2014-01-06 17:46:16 UTC (rev 643)
@@ -40,3 +40,4 @@
CVE-2013-6450.patch
disable_rdrand.patch
disable_dual_ec_drbg.patch
+CVE-2013-4353.patch
More information about the Pkg-openssl-changes
mailing list