[Pkg-openssl-devel] Bug#732754: Bug#732754: Bug#732754: Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
Kurt Roeckx
kurt at roeckx.be
Sun Dec 22 22:51:09 UTC 2013
On Sun, Dec 22, 2013 at 07:14:00PM +0100, Kurt Roeckx wrote:
> On Sun, Dec 22, 2013 at 12:25:16AM +0100, Kurt Roeckx wrote:
> > But I'm also thinking about at least #732710
> >
> > There are also things like:
> > Author: Dr. Stephen Henson <steve at openssl.org>
> > Date: Mon Sep 16 05:23:44 2013 +0100
> >
> > Disable Dual EC DRBG.
> >
> > Return an error if an attempt is made to enable the Dual EC DRBG: it
> > is not used by default.
> >
> > And there is a whole bunch of other things I want to get fixed but
> > which are less important.
>
> And then this just appeared in git too:
> commit 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> Author: Dr. Stephen Henson <steve at openssl.org>
> Date: Fri Dec 20 15:26:50 2013 +0000
>
> Fix DTLS retransmission from previous session.
>
> For DTLS we might need to retransmit messages from the previous session
> so keep a copy of write context in DTLS retransmission buffers instead
> of replacing it after sending CCS. CVE-2013-6450.
So after looking at things, I have about 25 patches I'd like to
move to testing.
For security I would like to have the following:
- CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
ca989269a2876bae79393bd54c3e72d49975fc75
- CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
- disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
- Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
Kurt
More information about the Pkg-openssl-devel
mailing list