** Also affects: openssl (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: openssl (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: openssl (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: openssl (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssl (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: openssl (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1622500

Title:
  Backported bugfix for CVE-2014-3571 causes regressions for DTLS in
  Ubuntu 14.04

Status in openssl package in Ubuntu:
  Invalid
Status in openssl source package in Precise:
  Confirmed
Status in openssl source package in Trusty:
  Confirmed

Bug description:
  In OpenSSL 1.0.1f on Ubuntu 14.04, there's a regression in using DTLS,
  caused by a backported bugfix for CVE-2014-3571.

  This particular bugfix (debian/patches/CVE-2014-3571-1.patch,
  corresponding to
  
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8d7aab986b499f34d9e1bc58fbfd77f05c38116e,
  originally included upstream in OpenSSL 1.0.1k) caused a regression in
  using DTLS - see https://rt.openssl.org/Ticket/Display.html?id=3657.

  This regression was fixed in OpenSSL 1.0.1m via this commit:
  https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1895583

  This left OpenSSL 1.0.1k and 1.0.1l with the regression, plus Ubuntu
  14.04 which backported the first fix but not the later one.

  In Debian, their patches for 1.0.1e contain both fixes:
  
https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch/
  
https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch/

  Please backport the second fix to the version of 1.0.1f that you
  maintain for 14.04 LTS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1622500/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to