[Pkg-openssl-devel] Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2

Moritz Mühlenhoff jmm at inutil.org
Mon Jan 6 18:53:41 UTC 2014


On Mon, Jan 06, 2014 at 07:41:05PM +0100, Kurt Roeckx wrote:
> On Mon, Jan 06, 2014 at 07:35:40PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Jan 06, 2014 at 07:20:25PM +0100, Kurt Roeckx wrote:
> > > On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> > > > On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > > > > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > > > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > > > > > 
> > > > > > > For security I would like to have the following:
> > > > > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 + 
> > > > > > >   ca989269a2876bae79393bd54c3e72d49975fc75
> > > > > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > > > > > 
> > > > > > So I've put that at:
> > > > > > http://people.debian.org/~kroeckx/openssl/
> > > > > 
> > > > > So the patch for CVE-2013-6450 was missing a commit.  See:
> > > > > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> > > > > 
> > > > > I'll upload a 1.0.1e-2+deb7u2 soon.
> > > > 
> > > > I've uploaded it.  The changelog for it:
> > > >    * The patch we applied for CVE-2013-6450 was causing segfaults,
> > > >      also apply the previous commit checking for NULL in
> > > >      EVP_MD_CTX_destroy()
> > > >    * Fix for TLS record tampering bug CVE-2013-4353
> > > 
> > > So after uploading this, I got this as reply:
> > > > Although there is no CVE connected to it it is also advisable to
> > > > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
> > > 
> > > Should I make an other upload (with different version) for that?
> > 
> > Yes, please include it.
> 
> So should I reuse the version number, or change it?

Better bump it, that way we don't cause confusion on the buildds.



More information about the Pkg-openssl-devel mailing list