Bug#524982: [Pkg-openssl-devel] Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
On Wednesday, June 17, 2009 at 19:23:54 (+0200), Kurt Roeckx wrote: I've first want to reorganize the openssl source package a little. I hate my current workflow to apply patches. I will try to make an upload with those patches applied soon. Hi Kurt, is there any progress? 0.9.8l is available upstream and contains all patches mentioned in this bugreport, so a simple update to upstreams current version will suffice. Regards, Marc -- _ _Marc A. Donges +49 721 6904-2130 'v'Klosterweg 28 / E110 / \ 76131 Karlsruhe W W -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100215130922.ga26...@defiant.hadiko.de
Bug#524982: [Pkg-openssl-devel] Bug#524982: Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
On Mon, Feb 15, 2010 at 02:09:22PM +0100, Marc A. Donges wrote: On Wednesday, June 17, 2009 at 19:23:54 (+0200), Kurt Roeckx wrote: I've first want to reorganize the openssl source package a little. I hate my current workflow to apply patches. I will try to make an upload with those patches applied soon. Hi Kurt, is there any progress? 0.9.8l is available upstream and contains all patches mentioned in this bugreport, so a simple update to upstreams current version will suffice. The version 0.9.8l had one 1 difference compared to 0.9.8k and that's the patch for CVE-2009-4355 which got applied in 0.9.8k-8. So as far as I know upstream did not make a release with those fixes yet. I'll try to do an upload soon. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100215172247.ga12...@roeckx.be
Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
Is there any progress on this? I can confirm that the DTLS patch[1] applies cleanly against the 0.9.8k package in sid at present and works fine. [1] http://cvs.openssl.org/chngview?cn=18037 -- Ross Burton mail: r...@burtonini.com jabber: r...@burtonini.com www: http://burtonini.com signature.asc Description: This is a digitally signed message part
Bug#524982: [Pkg-openssl-devel] Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
On Wed, Jun 17, 2009 at 05:10:51PM +0100, Ross Burton wrote: Is there any progress on this? I can confirm that the DTLS patch[1] applies cleanly against the 0.9.8k package in sid at present and works fine. I've first want to reorganize the openssl source package a little. I hate my current workflow to apply patches. I will try to make an upload with those patches applied soon. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524982: [Pkg-openssl-devel] Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
On Mon, 2009-04-27 at 23:24 +0200, Kurt Roeckx wrote: If my memory is any good, that last patch has been around for some time without respons from upstream, but now finally seems to have made it. Yeah, they ignored it for a long time (and ignored a lot of plain DTLS bug-fixes too). But now it all seems to be getting merged. I'll see about uploading a new version. Thanks. -- dwmw2 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524982: [Pkg-openssl-devel] Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
On Mon, 2009-04-27 at 23:24 +0200, Kurt Roeckx wrote: Please consider integrating the compatibility patches for Cisco VPN client DTLS support. These have been integrated into the upstream 0.9.8-stable branch and I've been using them locally for some time now. If my memory is any good, that last patch has been around for some time without respons from upstream, but now finally seems to have made it. I'll see about uploading a new version. I should probably also start with 1.0.0 in experimental. Yeah, it's been in limbo for quite a while. For what it's worth, Fedora integrated the patch some time ago. Ross -- Ross Burton mail: r...@burtonini.com jabber: r...@burtonini.com www: http://burtonini.com signature.asc Description: This is a digitally signed message part
Bug#524982: [Pkg-openssl-devel] Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
On Tue, Apr 21, 2009 at 11:12:10AM +0100, Ross Burton wrote: Package: libssl0.9.8 Version: 0.9.8g-15.1 Severity: normal Tags: patch Please consider integrating the compatibility patches for Cisco VPN client DTLS support. These have been integrated into the upstream 0.9.8-stable branch and I've been using them locally for some time now. If my memory is any good, that last patch has been around for some time without respons from upstream, but now finally seems to have made it. I'll see about uploading a new version. I should probably also start with 1.0.0 in experimental. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#524982: Integrate compatibility patches for Cisco VPN client DTLS
Package: libssl0.9.8 Version: 0.9.8g-15.1 Severity: normal Tags: patch Please consider integrating the compatibility patches for Cisco VPN client DTLS support. These have been integrated into the upstream 0.9.8-stable branch and I've been using them locally for some time now. There are three relevant patches: http://cvs.openssl.org/chngview?cn=17500 When the underlying BIO_write() fails to send a datagram, we leave the offending record queued as 'pending'. The DTLS code doesn't expect this, and we end up hitting an OPENSSL_assert() in do_dtls1_write(). The simple fix is just not to leave it queued. In DTLS, dropping packets is perfectly acceptable -- and even preferable. If we wanted a service with retries and guaranteed delivery, we'd be using TCP. http://cvs.openssl.org/chngview?cn=17505 Firstly, the bitmap we use for replay protection was ending up with zero length, so a single pair of packets getting switched around would cause one of them to be 'dropped'. Secondly, it wasn't even dropping the offending packets, in the non-blocking case. It was just returning garbage instead. http://cvs.openssl.org/chngview?cn=18037 Compatibility patches for Cisco VPN client DTLS. These patches are required for the openconnect package to have useful performance. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libssl0.9.8 depends on: ii debconf [debconf-2.0] 1.5.25Debian configuration management sy ii libc6 2.9-4 GNU C Library: Shared libraries ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime libssl0.9.8 recommends no packages. libssl0.9.8 suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org