[Pkg-openssl-devel] Bug#645805: Bug#645805: Potential DTLS crasher bug
Kurt Roeckx
kurt at roeckx.be
Wed Oct 19 20:54:25 UTC 2011
found 645805 0.9.8o-4
thanks
On Tue, Oct 18, 2011 at 08:24:30PM +0200, Florian Weimer wrote:
> Package: libssl0.9.8
> Version: 0.9.8o-4squeeze3
>
> It seems that there's a remotely triggerable OPENSSL_assert() in the
> DTLS code:
>
> | The reception of incomplete or incorrectly formatted DTLS fragments
> | is handled with an OPENSSL_assert(), causing the program to exit
> | rather then just terminating the connection. This patch exchanges
> | the asserts with unexpected message and illegal parameter alerts.
>
> <http://rt.openssl.org/Ticket/Display.html?id=2625&user=guest&pass=guest>
>
> I don't know how functional the DTLS code in squeeze is, perhaps it's
> necessary to fix this there, too.
I'm pretty sure we have people using DTLS in squeeze.
I currently don't have time to deal with this.
Kurt
More information about the Pkg-openssl-devel
mailing list