[Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1
Kurt Roeckx
kurt at roeckx.be
Wed May 2 17:34:35 BST 2018
On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote:
> * https://github.com/openssl/openssl/pull/5967
>
> """
> Commit d316cdc introduced some extra
> checks into the session-cache update procedure, intended to prevent
> the caching of sessions whose resumption would lead to a handshake
> failure, since if the server is authenticating the client, there needs to
> be an application-set "session id context" to match up to the authentication
> context. While that change is effective for its stated purpose, there
> was also some collatoral damage introduced along with the fix -- clients
> that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
> their usage of session caching was erroneously denied.
>
> Fix the scope of the original commit by limiting it to only acting
> when the SSL is a server SSL.
> """
Is it urgunt to fix this in testing/unstable?
Kurt
More information about the Pkg-openssl-devel
mailing list