[Pkg-openssl-devel] Bug#732754: Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2

Salvatore Bonaccorso carnil at debian.org
Sat Dec 21 20:24:38 UTC 2013


Hi Kurt,

On Sat, Dec 21, 2013 at 09:35:38AM +0100, Kurt Roeckx wrote:
> On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote:
> > Package: openssl
> > Version: 1.0.1e-2
> > Severity: grave
> > Tags: security upstream patch
> > 
> > Hi,
> > 
> > the following vulnerability was published for openssl.
> > 
> > CVE-2013-6449[0]:
> > crash when using TLS 1.2
> > 
> > It was reported in Apache Traffic Server[1] and upstream at [2], see
> > also [3]. I was not able to reproduce any crash myself, just checking
> > against the openssl source package to verify upstrem patches apply.
> > See [4] and [5] for the patches applied.
> 
> I was expecting this, and planning an upload for it already.  I'll
> prepare an upload later today.

Thanks!

> I have a bunch of other patches that I'd like to see reach stable,
> but I'm not sure how many of those you like in a DSA.

Okay. Could you sent what you are thinking off, to the security team
alias, so that somebody the team can comment/have a look/...? Is this
about #720426? (If so an 'ack' from the Release Team would be needed
also to have them included).

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20131221/80a27d6c/attachment.sig>


More information about the Pkg-openssl-devel mailing list