[Pkg-openssl-devel] Bug#699889: Bug#699889: several issues in Security Advisory 5 Feb 2013

Kurt Roeckx kurt at roeckx.be
Thu Feb 7 19:04:29 UTC 2013


On Wed, Feb 06, 2013 at 11:59:18AM +0100, Thijs Kinkhorst wrote:
> Package: openssl
> Severity: serious
> Tags: security
> 
> Hi,
> 
> Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 
> (http://www.openssl.org/news/secadv_20130205.txt):
> 
>  SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
>  TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)

It seems people are having issues with this patch.  commit
125093b59f3c2a2d33785b5563d929d0472f1721 is the problematic
commit, but is also the one that fixes both CVEs as far
as I can tell.

I understand that 1.0 isn't affected, so 0.9.8 probably also
isn't.

I might be able to fix the 2nd one by disabling the AES-NI
part.

>  OCSP invalid key DoS issue (CVE-2013-0166)

I don't see this as being urgent.

So I'm waiting upstream to fix the 1.0.1d version before
uploading to unstable.  I think I'll also wait to see
if this applies to other versions or not.


Kurt



More information about the Pkg-openssl-devel mailing list