At the very least, upgrading from 2.4.7 to 2.4.8 should not cause this much pain. I will let the vote run a bit more to gauge additional feedback, but my sense says that 2.4.8 will likely be revoked/dropped and 2.4.9 will be proposed which either (1) removes r1573360 or (2) fixes this bug.
On Mar 11, 2014, at 8:59 PM, Dr Stephen Henson <[email protected]> wrote: > On 12/03/2014 00:30, Dr Stephen Henson wrote: >> >> The fix was applied on Feb 11 2013. That would mean that official releases >> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release >> should >> include the fix but we weren't planning to make any more 0.9.8 official >> releases >> though a 0.9.8 snapshot should include the fix. >> >> OS specific versions of OpenSSL might not have included the fix. This is the >> actual diff: >> >> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10 >> > > It looks like the only case this can happen is ssl_init_server_certs where an > SSL structure is created, SSL_get_certificate called and then it is freed. > > If so then calling SSL_set_connect_state before the SSL_get_certificate > call is a potential workaround. This works because the faulty code isn't used > by > SSL structures where ssl->server == 0 and SSL_set_connect_state does that, > among other things. > > This is a bit of a hack because it's called on a server SSL structure. This > would probably fail horribly if an attempt was made to use the SSL structure > but > in this case we're freeing it up immediately so this should hopefully not > matter. > > Steve. > -- > Dr Stephen Henson. OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > +1 877-673-6775 > [email protected] >
