Public bug reported: The recently introduced openssl update to fix the CVE-2014-0224 vulnerability missed one code path where ChangeCipherSpec needs to be allowed. tls_session_secret_cb configured the key and needs to allow CCS message. The current Ubuntu package breaks programs that use that API, e.g., wpa_supplicant and EAP-FAST.
The upstream fix for the issue: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb8d9ddb9dc19d84dffa84932f75e607c8a3ffe6;hp=c43a55407dccc6902058184d7dd0bd111fe6a61e Upstream report and discussion related to the issue: http://openssl.6102.n7.nabble.com/OpenSSL-1-0-1h-issue-with-EAP-FAST- session-resumption-td50696.html ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: openssl 1.0.1f-1ubuntu2.2 ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2 Uname: Linux 3.13.0-29-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.2 Architecture: amd64 CurrentDesktop: Unity Date: Thu Jun 12 14:54:57 2014 InstallationDate: Installed on 2014-04-17 (55 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: openssl (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1329297 Title: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
