[Pkg-openssl-devel] Bug#645805: Potential DTLS crasher bug

Florian Weimer fw at deneb.enyo.de
Tue Oct 18 18:24:30 UTC 2011


Package: libssl0.9.8
Version: 0.9.8o-4squeeze3

It seems that there's a remotely triggerable OPENSSL_assert() in the
DTLS code:

| The reception of incomplete or incorrectly formatted DTLS fragments
| is handled with an OPENSSL_assert(), causing the program to exit
| rather then just terminating the connection. This patch exchanges
| the asserts with unexpected message and illegal parameter alerts.

<http://rt.openssl.org/Ticket/Display.html?id=2625&user=guest&pass=guest>

I don't know how functional the DTLS code in squeeze is, perhaps it's
necessary to fix this there, too.





More information about the Pkg-openssl-devel mailing list