Bug#732754: [Pkg-openssl-devel] Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote: Package: openssl Version: 1.0.1e-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for openssl. CVE-2013-6449[0]: crash when using TLS 1.2 It was reported in Apache Traffic Server[1] and upstream at [2], see also [3]. I was not able to reproduce any crash myself, just checking against the openssl source package to verify upstrem patches apply. See [4] and [5] for the patches applied. I was expecting this, and planning an upload for it already. I'll prepare an upload later today. I have a bunch of other patches that I'd like to see reach stable, but I'm not sure how many of those you like in a DSA. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732754: [Pkg-openssl-devel] Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
Hi Kurt, On Sat, Dec 21, 2013 at 09:35:38AM +0100, Kurt Roeckx wrote: On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote: Package: openssl Version: 1.0.1e-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for openssl. CVE-2013-6449[0]: crash when using TLS 1.2 It was reported in Apache Traffic Server[1] and upstream at [2], see also [3]. I was not able to reproduce any crash myself, just checking against the openssl source package to verify upstrem patches apply. See [4] and [5] for the patches applied. I was expecting this, and planning an upload for it already. I'll prepare an upload later today. Thanks! I have a bunch of other patches that I'd like to see reach stable, but I'm not sure how many of those you like in a DSA. Okay. Could you sent what you are thinking off, to the security team alias, so that somebody the team can comment/have a look/...? Is this about #720426? (If so an 'ack' from the Release Team would be needed also to have them included). Regards, Salvatore signature.asc Description: Digital signature
Bug#732754: [Pkg-openssl-devel] Bug#732754: openssl: CVE-2013-6449: crash when using TLS 1.2
On Sat, Dec 21, 2013 at 09:24:38PM +0100, Salvatore Bonaccorso wrote: Hi Kurt, On Sat, Dec 21, 2013 at 09:35:38AM +0100, Kurt Roeckx wrote: On Sat, Dec 21, 2013 at 08:16:42AM +0100, Salvatore Bonaccorso wrote: Package: openssl Version: 1.0.1e-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for openssl. CVE-2013-6449[0]: crash when using TLS 1.2 It was reported in Apache Traffic Server[1] and upstream at [2], see also [3]. I was not able to reproduce any crash myself, just checking against the openssl source package to verify upstrem patches apply. See [4] and [5] for the patches applied. I was expecting this, and planning an upload for it already. I'll prepare an upload later today. Thanks! I have a bunch of other patches that I'd like to see reach stable, but I'm not sure how many of those you like in a DSA. Okay. Could you sent what you are thinking off, to the security team alias, so that somebody the team can comment/have a look/...? Is this about #720426? (If so an 'ack' from the Release Team would be needed also to have them included). I'd like to see those reach stable too, and I'm really tired on waiting for them. But I'm also thinking about at least #732710 There are also things like: Author: Dr. Stephen Henson st...@openssl.org Date: Mon Sep 16 05:23:44 2013 +0100 Disable Dual EC DRBG. Return an error if an attempt is made to enable the Dual EC DRBG: it is not used by default. And there is a whole bunch of other things I want to get fixed but which are less important. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
