[Pkg-openssl-devel] Bug#338006: marked as done (libssl0.9.8: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUG handling)

Debian Bug Tracking System owner at bugs.debian.org
Sat Jan 21 16:48:08 UTC 2006 

Your message dated Sat, 21 Jan 2006 08:32:13 -0800
with message-id <E1F0Lev-0003kJ-6K at spohr.debian.org>
and subject line Bug#338006: fixed in openssl 0.9.8a-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Nov 2005 19:24:04 +0000
>From mikael at hem.za.org Mon Nov 07 11:24:04 2005
Return-path: <mikael at hem.za.org>
Received: from 84-217-29-140.tn.glocalnet.net (mulder.hem.za.org) [84.217.29.140] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EZCb5-0003hb-00; Mon, 07 Nov 2005 11:24:04 -0800
Received: from skinner.hem.za.org ([fec0::202:44ff:fe1d:d021])
	by mulder.hem.za.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1EZCb1-000340-NY; Mon, 07 Nov 2005 20:23:59 +0100
Received: from mikael by skinner.hem.za.org with local (Exim 4.52)
	id 1EZCax-0007tO-CT; Mon, 07 Nov 2005 20:23:55 +0100
Date: Mon, 7 Nov 2005 20:23:55 +0100
From: Mikael Magnusson <mikma at users.sourceforge.net>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: libssl0.9.8: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUG handling
Message-ID: <20051107192355.GA29939 at skinner.hem.za.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.17
User-Agent: Mutt/1.5.9i
Sender: Mikael Magnusson <mikael at hem.za.org>
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: libssl0.9.8
Version: 0.9.8a-3
Severity: important

Use of SSL_OP_TLS_BLOCK_PADDING_BUG, which is included in SSL_OP_ALL,
triggers a bug in OpenSSL if both the client and server is using version 0.9.8.

Upstream bug report:
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1204

The bug can be demonstrated with the following execution of s_server and
s_client.

Server:
# openssl s_server -accept 5061 -cert /etc/apache/ssl.crt/snakeoil-dsa.crt -key /etc/apache/ssl.key/snakeoil-dsa.key -CAfile /etc/apache/ssl.crt/snakeoil-ca-dsa.crt -no_ssl2

Client:
$ openssl s_client -connect skinner:5061 -no_ssl2 -bugs
CONNECTED(00000003)
depth=1 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority (DSA)/CN=Snake Oil CA/emailAddress=ca at snakeoil.dom
verify error:num=19:self signed certificate in certificate chain
verify return:0
29985:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426:

Sometimes the connection succeeds, but it fails most of the times.

Regards,
Mikael

-- System Information:
Debian Release: testing/unstable
  APT prefers stable
  APT policy: (871, 'stable'), (50, 'testing'), (30, 'unstable'), (10, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-vserver-k7
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)

Versions of packages libssl0.9.8 depends on:
ii  debconf [debconf-2.0]         1.4.57     Debian configuration management sy
ii  libc6                         2.3.5-7    GNU C Library: Shared libraries an
ii  zlib1g                        1:1.2.3-6  compression library - runtime

libssl0.9.8 recommends no packages.

-- debconf information:
  libssl0.9.8/restart-services:

---------------------------------------
Received: (at 338006-close) by bugs.debian.org; 21 Jan 2006 16:41:04 +0000
>From katie at ftp-master.debian.org Sat Jan 21 08:41:04 2006
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1F0Lev-0003kJ-6K; Sat, 21 Jan 2006 08:32:13 -0800
From: Kurt Roeckx <kurt at roeckx.be>
To: 338006-close at bugs.debian.org
X-Katie: $Revision: 1.65 $
Subject: Bug#338006: fixed in openssl 0.9.8a-6
Message-Id: <E1F0Lev-0003kJ-6K at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Sat, 21 Jan 2006 08:32:13 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: openssl
Source-Version: 0.9.8a-6

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8a-6_i386.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-6_i386.udeb
libssl-dev_0.9.8a-6_i386.deb
  to pool/main/o/openssl/libssl-dev_0.9.8a-6_i386.deb
libssl0.9.8-dbg_0.9.8a-6_i386.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-6_i386.deb
libssl0.9.8_0.9.8a-6_i386.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8a-6_i386.deb
openssl_0.9.8a-6.diff.gz
  to pool/main/o/openssl/openssl_0.9.8a-6.diff.gz
openssl_0.9.8a-6.dsc
  to pool/main/o/openssl/openssl_0.9.8a-6.dsc
openssl_0.9.8a-6_i386.deb
  to pool/main/o/openssl/openssl_0.9.8a-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 338006 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt at roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Jan 2006 16:25:41 +0100
Source: openssl
Binary: libssl-dev openssl libssl0.9.8-dbg libcrypto0.9.8-udeb libssl0.9.8
Architecture: source i386
Version: 0.9.8a-6
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt at roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypt
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 338006
Changes: 
 openssl (0.9.8a-6) unstable; urgency=low
 .
   * Remove empty postinst/preinst/prerm scripts.  There is no need
     to have empty ones, debhelper will add them when needed.
   * Remove the static pic libraries.  Nobody should be linking
     it's shared libraries static to libssl or libcrypto.
     This was added for opensc who now links to it shared.
   * Do not assume that in case the sequence number is 0 and the
     packet has an odd number of bytes that the other side has
     the block padding bug, but try to check that it actually
     has the bug.  The wrong detection of this bug resulted
     in an "decryption failed or bad record mac" error in case
     both sides were using zlib compression.  (Closes: #338006)
Files: 
 c131ce8b682ecfb00e621e067d54d08e 796 utils optional openssl_0.9.8a-6.dsc
 c152659ff1525dbd5f411918eca4fc25 32486 utils optional openssl_0.9.8a-6.diff.gz
 75c5aef075a45f10b9d1c891c3442d74 982844 utils optional openssl_0.9.8a-6_i386.deb
 711d05ea0c1368827ced13e51fa99d57 2692286 libs important libssl0.9.8_0.9.8a-6_i386.deb
 04d4fcd3e804e5ec9f3f1e55623cf9a5 545170 debian-installer optional libcrypto0.9.8-udeb_0.9.8a-6_i386.udeb
 7a2b123873aa86043ca3d0cc0800846d 2075736 libdevel optional libssl-dev_0.9.8a-6_i386.deb
 85ab4b29fa4ea4bdfb4ab895f40665e2 5175844 libdevel extra libssl0.9.8-dbg_0.9.8a-6_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD0l5cQdwckHJElwsRAsioAJ4ygEu6T0ohKUb37p5T939cxqpRXgCeMeqn
+9g6Xej7p6C2TVhNVoGcwfY=
=vOby
-----END PGP SIGNATURE-----

More information about the Pkg-openssl-devel mailing list