[Pkg-openssl-devel] Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
Kurt Roeckx
kurt at roeckx.be
Mon Jan 6 17:54:33 UTC 2014
On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > >
> > > For security I would like to have the following:
> > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> >
> > So I've put that at:
> > http://people.debian.org/~kroeckx/openssl/
>
> So the patch for CVE-2013-6450 was missing a commit. See:
> http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
>
> I'll upload a 1.0.1e-2+deb7u2 soon.
I've uploaded it. The changelog for it:
* The patch we applied for CVE-2013-6450 was causing segfaults,
also apply the previous commit checking for NULL in
EVP_MD_CTX_destroy()
* Fix for TLS record tampering bug CVE-2013-4353
More information about the Pkg-openssl-devel
mailing list