Thanks Michael! I suspect that we will see 2.2.2d in one of the upcoming releases from Oracle. While I would prefer to ship wheezy with no known security bugs, I don't have much time to build and test a new package. If someone else wants to do that I will gladly sponsor it.
-----Original Message----- From: Michael Stapelberg <stapelb...@debian.org> To: Thijs Kinkhorst <th...@debian.org>, 699...@bugs.debian.org, cont...@bugs.debian.org Sent: Wed, 27 Mar 2013 3:09 Subject: [debian-mysql] Bug#699886: TLS timing attack in yaSSL (Lucky 13) Control: tags -1 +patch Hi Thijs, Thijs Kinkhorst <th...@debian.org> writes: > Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling > of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing > differences arising during MAC processing. Details of this attack can be > found at: http://www.isg.rhul.ac.uk/tls/ > > The issue has been fixed in upstream yaSSL 2.5.0: > http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html Currently, MySQL uses yaSSL 2.2.2. yaSSL has released version 2.2.2d which addresses this problem. I downloaded yassl-2.2.2.zip from http://fossies.org/unix/privat/yassl-2.2.2.zip and yassl-2.2.2d.zip from http://yassl.com/yaSSL/download I then created a git repo in 2.2.2 and copied over the files from 2.2.2d. The following files differ: $ git status | grep 'modified' | grep -v '\.in$' | grep -v '\(INSTALL\|README\|aclocal.m4\|config.guess\|config.sub\|configure\|depcomp\|install-sh\|ltmain.sh\|missing\|mkinstalldirs\)' # modified: include/openssl/ssl.h # modified: include/yassl_error.hpp # modified: include/yassl_types.hpp # modified: src/handshake.cpp # modified: src/yassl_error.cpp # modified: src/yassl_imp.cpp # modified: taocrypt/include/asn.hpp # modified: taocrypt/include/sha.hpp # modified: taocrypt/src/asn.cpp I then created a patch and modified it so that it (somewhat) applies to the MySQL source: git diff include/openssl/ssl.h include/yassl_error.hpp include/yassl_types.hpp src/handshake.cpp src/yassl_error.cpp src/yassl_imp.cpp taocrypt/include/asn.hpp taocrypt/include/sha.hpp taocrypt/src/asn.cpp > yassl.patch sed -i 's,\([iw]\)/,\1/extra/yassl/,g' yassl.patch dos2unix yassl.patch Then, I used quilt to get the patch in shape: cd /tmp/mysql-5.5-5.5.30+dfsg export QUILT_PATCHES=debian/patches quilt import ../yassl-2.2.2/yassl.patch quilt push -f # apply 4 hunks of the patch manually quilt refresh I attached the result to this email, hopefully that helps. Note that I didn’t compile and test MySQL. -- Best regards, Michael
