[Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Wed May 2 18:26:02 BST 2018
On 2018-05-02 18:34:35 [+0200], Kurt Roeckx wrote:
> On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote:
> > * https://github.com/openssl/openssl/pull/5967
> >
> > """
> > Commit d316cdc introduced some extra
> > checks into the session-cache update procedure, intended to prevent
> > the caching of sessions whose resumption would lead to a handshake
> > failure, since if the server is authenticating the client, there needs to
> > be an application-set "session id context" to match up to the authentication
> > context. While that change is effective for its stated purpose, there
> > was also some collatoral damage introduced along with the fix -- clients
> > that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
> > their usage of session caching was erroneously denied.
> >
> > Fix the scope of the original commit by limiting it to only acting
> > when the SSL is a server SSL.
> > """
>
> Is it urgunt to fix this in testing/unstable?
If he is sure that this fixes his issue then I don't mind doing an
upload. I can even prepare a 1.1.0h-2 with this patch included.
[unless upstream plans a release soon]
> Kurt
Sebastian
More information about the Pkg-openssl-devel
mailing list