Public bug reported: In OpenSSL 1.0.1f on Ubuntu 14.04, there's a regression in using DTLS, caused by a backported bugfix for CVE-2014-3571.
This particular bugfix (debian/patches/CVE-2014-3571-1.patch, corresponding to https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8d7aab986b499f34d9e1bc58fbfd77f05c38116e, originally included upstream in OpenSSL 1.0.1k) caused a regression in using DTLS - see https://rt.openssl.org/Ticket/Display.html?id=3657. This regression was fixed in OpenSSL 1.0.1m via this commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1895583 This left OpenSSL 1.0.1k and 1.0.1l with the regression, plus Ubuntu 14.04 which backported the first fix but not the later one. In Debian, their patches for 1.0.1e contain both fixes: https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch/ https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch/ Please backport the second fix to the version of 1.0.1f that you maintain for 14.04 LTS. ** Affects: openssl (Ubuntu) Importance: Undecided Status: New ** Summary changed: - Backported bugfix for CVE-2014-3571 causes regressions for DTLS in + Backported bugfix for CVE-2014-3571 causes regressions for DTLS in Ubuntu 14.04 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1622500 Title: Backported bugfix for CVE-2014-3571 causes regressions for DTLS in Ubuntu 14.04 Status in openssl package in Ubuntu: New Bug description: In OpenSSL 1.0.1f on Ubuntu 14.04, there's a regression in using DTLS, caused by a backported bugfix for CVE-2014-3571. This particular bugfix (debian/patches/CVE-2014-3571-1.patch, corresponding to https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8d7aab986b499f34d9e1bc58fbfd77f05c38116e, originally included upstream in OpenSSL 1.0.1k) caused a regression in using DTLS - see https://rt.openssl.org/Ticket/Display.html?id=3657. This regression was fixed in OpenSSL 1.0.1m via this commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1895583 This left OpenSSL 1.0.1k and 1.0.1l with the regression, plus Ubuntu 14.04 which backported the first fix but not the later one. In Debian, their patches for 1.0.1e contain both fixes: https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch/ https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch/ Please backport the second fix to the version of 1.0.1f that you maintain for 14.04 LTS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1622500/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
