[Pkg-openssl-devel] Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
Moritz Mühlenhoff
jmm at inutil.org
Mon Jan 6 18:53:41 UTC 2014
On Mon, Jan 06, 2014 at 07:41:05PM +0100, Kurt Roeckx wrote:
> On Mon, Jan 06, 2014 at 07:35:40PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Jan 06, 2014 at 07:20:25PM +0100, Kurt Roeckx wrote:
> > > On Mon, Jan 06, 2014 at 06:54:33PM +0100, Kurt Roeckx wrote:
> > > > On Mon, Jan 06, 2014 at 06:24:14PM +0100, Kurt Roeckx wrote:
> > > > > On Mon, Dec 23, 2013 at 06:44:23PM +0100, Kurt Roeckx wrote:
> > > > > > On Sun, Dec 22, 2013 at 11:51:09PM +0100, Kurt Roeckx wrote:
> > > > > > >
> > > > > > > For security I would like to have the following:
> > > > > > > - CVE-2013-6449: 0294b2be5f4c11e60620c0018674ff0e17b14238 +
> > > > > > > ca989269a2876bae79393bd54c3e72d49975fc75
> > > > > > > - CVE-2013-6450: 34628967f1e65dc8f34e000f0f5518e21afbfc7b
> > > > > > > - disable rdrand: 1c2c5e402a757a63d690bd2390bd6b8b491ef184
> > > > > > > - Disable Dual EC DRBG: a4870de5aaef562c0947494b410a2387f3a6d04d
> > > > > >
> > > > > > So I've put that at:
> > > > > > http://people.debian.org/~kroeckx/openssl/
> > > > >
> > > > > So the patch for CVE-2013-6450 was missing a commit. See:
> > > > > http://rt.openssl.org/Ticket/Display.html?id=3214&user=guest&pass=guest
> > > > >
> > > > > I'll upload a 1.0.1e-2+deb7u2 soon.
> > > >
> > > > I've uploaded it. The changelog for it:
> > > > * The patch we applied for CVE-2013-6450 was causing segfaults,
> > > > also apply the previous commit checking for NULL in
> > > > EVP_MD_CTX_destroy()
> > > > * Fix for TLS record tampering bug CVE-2013-4353
> > >
> > > So after uploading this, I got this as reply:
> > > > Although there is no CVE connected to it it is also advisable to
> > > > include f3dcc8411e518fb0835c7d72df4a58718205260d as well.
> > >
> > > Should I make an other upload (with different version) for that?
> >
> > Yes, please include it.
>
> So should I reuse the version number, or change it?
Better bump it, that way we don't cause confusion on the buildds.
More information about the Pkg-openssl-devel
mailing list