[Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1
Kurt Roeckx
kurt at roeckx.be
Wed May 2 18:35:20 BST 2018
On Wed, May 02, 2018 at 07:26:02PM +0200, Sebastian Andrzej Siewior wrote:
> On 2018-05-02 18:34:35 [+0200], Kurt Roeckx wrote:
> > On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote:
> > > * https://github.com/openssl/openssl/pull/5967
> > >
> > > """
> > > Commit d316cdc introduced some extra
> > > checks into the session-cache update procedure, intended to prevent
> > > the caching of sessions whose resumption would lead to a handshake
> > > failure, since if the server is authenticating the client, there needs to
> > > be an application-set "session id context" to match up to the authentication
> > > context. While that change is effective for its stated purpose, there
> > > was also some collatoral damage introduced along with the fix -- clients
> > > that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
> > > their usage of session caching was erroneously denied.
> > >
> > > Fix the scope of the original commit by limiting it to only acting
> > > when the SSL is a server SSL.
> > > """
> >
> > Is it urgunt to fix this in testing/unstable?
>
> If he is sure that this fixes his issue then I don't mind doing an
> upload. I can even prepare a 1.1.0h-2 with this patch included.
> [unless upstream plans a release soon]
There are no plans, currently I think 1.1.1 will be the next release.
Kurt
More information about the Pkg-openssl-devel
mailing list