I agree with this not being an independent security issue. There is a (mostly theoretical) potential security impact based on how applications or users react to the case where session ticket unexpectedly cannot be used. That could, at least in theory, result in trying the authentication handshake again with reduced security (e.g., EAP-FAST anonymous provisioning) even when there would be a valid session ticket still available. I don't think this would really result in practical security issues, i.e., the impact is in previously working functionality not working anymore and connections not being established. That said, it is useful to get this regression addressed in a way that makes it more likely for devices to get the update since the regression was caused by a high priority security fix that was likely applied to most devices immediately.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1329297 Title: openssl CVE-2014-0224 fix broke tls_session_secret_cb and EAP-FAST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1329297/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
