[Pkg-openssl-devel] Bug#732754: Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
Kurt Roeckx
kurt at roeckx.be
Sat Dec 21 23:25:16 UTC 2013
On Sat, Dec 21, 2013 at 09:24:38PM +0100, Salvatore Bonaccorso wrote:
> Hi Kurt,
>
> On Sat, Dec 21, 2013 at 09:35:38AM +0100, Kurt Roeckx wrote:
> > On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote:
> > > Package: openssl
> > > Version: 1.0.1e-2
> > > Severity: grave
> > > Tags: security upstream patch
> > >
> > > Hi,
> > >
> > > the following vulnerability was published for openssl.
> > >
> > > CVE-2013-6449[0]:
> > > crash when using TLS 1.2
> > >
> > > It was reported in Apache Traffic Server[1] and upstream at [2], see
> > > also [3]. I was not able to reproduce any crash myself, just checking
> > > against the openssl source package to verify upstrem patches apply.
> > > See [4] and [5] for the patches applied.
> >
> > I was expecting this, and planning an upload for it already. I'll
> > prepare an upload later today.
>
> Thanks!
>
> > I have a bunch of other patches that I'd like to see reach stable,
> > but I'm not sure how many of those you like in a DSA.
>
> Okay. Could you sent what you are thinking off, to the security team
> alias, so that somebody the team can comment/have a look/...? Is this
> about #720426? (If so an 'ack' from the Release Team would be needed
> also to have them included).
I'd like to see those reach stable too, and I'm really tired on
waiting for them.
But I'm also thinking about at least #732710
There are also things like:
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Sep 16 05:23:44 2013 +0100
Disable Dual EC DRBG.
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
And there is a whole bunch of other things I want to get fixed but
which are less important.
Kurt
More information about the Pkg-openssl-devel
mailing list