[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Changed in: openssl Status: Unknown => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
This bug was fixed in the package openssl - 1.0.2g-1ubuntu4.4 --- openssl (1.0.2g-1ubuntu4.4) xenial-security; urgency=medium * SECURITY UPDATE: Pointer arithmetic undefined behaviour - debian/patches/CVE-2016-2177.patch: avoid undefined pointer arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c. - CVE-2016-2177 * SECURITY UPDATE: Constant time flag not preserved in DSA signing - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in crypto/dsa/dsa_ossl.c. - CVE-2016-2178 * SECURITY UPDATE: DTLS buffered message DoS - debian/patches/CVE-2016-2179.patch: fix queue handling in ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c, ssl/ssl_locl.h. - CVE-2016-2179 * SECURITY UPDATE: OOB read in TS_OBJ_print_bio() - debian/patches/CVE-2016-2180.patch: fix text handling in crypto/ts/ts_lib.c. - CVE-2016-2180 * SECURITY UPDATE: DTLS replay protection DoS - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed records in ssl/d1_pkt.c. - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c. - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h. - CVE-2016-2181 * SECURITY UPDATE: OOB write in BN_bn2dec() - debian/patches/CVE-2016-2182.patch: don't overflow buffer in crypto/bn/bn_print.c. - CVE-2016-2182 * SECURITY UPDATE: SWEET32 Mitigation - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH to MEDIUM in ssl/s3_lib.c. - CVE-2016-2183 * SECURITY UPDATE: Malformed SHA512 ticket DoS - debian/patches/CVE-2016-6302.patch: sanity check ticket length in ssl/t1_lib.c. - CVE-2016-6302 * SECURITY UPDATE: OOB write in MDC2_Update() - debian/patches/CVE-2016-6303.patch: avoid overflow in crypto/mdc2/mdc2dgst.c. - CVE-2016-6303 * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth - debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous handshake in ssl/t1_lib.c. - CVE-2016-6304 * SECURITY UPDATE: Certificate message OOB reads - debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c, ssl/s3_srvr.c. - debian/patches/CVE-2016-6306-2.patch: make message buffer slightly larger in ssl/d1_both.c, ssl/s3_both.c. - CVE-2016-6306 -- Marc Deslauriers Thu, 22 Sep 2016 08:22:22 -0400 ** Changed in: openssl (Ubuntu Xenial) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2177 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2178 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2179 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2180 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2181 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2182 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2183 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6302 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6303 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6304 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6306 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
I tested version 1.0.2g-1ubuntu4.3 with the death.c program from the upstream openssl bug ticket 4559 and confirmed this problem is now resolved. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Hello Timo, or anyone else affected, Accepted openssl into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu4.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Also affects: openssl (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
This bug was fixed in the package openssl - 1.0.2g-1ubuntu8 --- openssl (1.0.2g-1ubuntu8) yakkety; urgency=medium * Remove unused FIPS patches for now. (LP: #1594748, LP: #1593953, LP: #1591797, LP: #1588524) -- Marc Deslauriers Mon, 15 Aug 2016 14:20:42 -0400 ** Changed in: openssl (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
For those affected by this in xenial, I have created a PPA with fips removed from the openssl binaries. See it here. https://launchpad.net/~chiluk/+archive/ubuntu/openssl+nofips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
This needs to be resolved in Xenial as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Investigating. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
@Joy It looks like the upstream bug has been rejected. Do you know what the resolution for this issue was? Can you work with upstream to figure out what's going on? Thanks, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssl (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Just as a note, the fips mode is not enabled in 1.0.2g-1ubuntu4.1. But OPENSSL_FIPS is defined and its codes compiled in. Thus in OPENSSL_init_library(), the RAND_init_fips() is included in. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Waiting to see upstream commit/fix for this since this is an issue in the upstream openssl code when OPENSSL_FIPS is defined. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Also affects: openssl via http://rt.openssl.org/Ticket/Display.html?id=4559 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Ok, this is also "broken" or an issue in upstream openssl 1.0.2 when OPENSSL_FIPS is defined. See, https://rt.openssl.org/Ticket/Display.html?id=4559#txn-68189 or http://rt.openssl.org/Ticket/Display.html?id=4559 ** Bug watch added: OpenSSL RT #4559 http://rt.openssl.org/Ticket/Display.html?id=4559 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Looking into this... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Changed in: openssl (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs