pg_dump: Error message from server: SSL error: ccs received early

Bug #1332643 reported by Robin H. Johnson on 2014-06-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenSSL
Fix Released
Unknown
openssl (Debian)
Fix Released
Unknown
openssl (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers

Bug Description

See Debian bug #751093

Extra commit is needed on top of openssl_1.0.1f-1ubuntu2.3:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9beb75d3c4ce9a93ba07951e8595c09f07496ba8

Reproduction instructions
1. Take a large postgres DB (~200GiB here),
2. require hostssl in pg_hba to connect.
3. pg_dump over that hostssl connection.
4. fail out somewhere between 74MiB and 190GiB with:
    pg_dump: Error message from server: SSL error: ccs received early

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openssl 1.0.1f-1ubuntu2.3
ProcVersionSignature: Ubuntu 3.13.0-27.50-generic 3.13.11
Uname: Linux 3.13.0-27-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
Date: Fri Jun 20 17:27:02 2014
InstallationDate: Installed on 2014-03-21 (91 days ago)
InstallationMedia: Ubuntu-Server 13.10 "Saucy Salamander" - Release amd64 (20131016)
ProcEnviron:
 TERM=rxvt-unicode
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openssl
UpgradeStatus: Upgraded to trusty on 2014-04-03 (78 days ago)

Robin H. Johnson (robbat2) wrote :
Changed in openssl (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Lucid):
status: New → Confirmed
Changed in openssl (Ubuntu Precise):
status: New → Confirmed
Changed in openssl (Ubuntu Saucy):
status: New → Confirmed
Changed in openssl (Ubuntu Trusty):
status: New → Confirmed
Changed in openssl (Ubuntu Utopic):
status: New → Confirmed
Changed in openssl:
status: Unknown → Fix Released
Changed in openssl (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.16

---------------
openssl (1.0.1-4ubuntu5.16) precise-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
 -- Marc Deslauriers <email address hidden> Fri, 20 Jun 2014 13:57:48 -0400

Changed in openssl (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1f-1ubuntu2.4

---------------
openssl (1.0.1f-1ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
 -- Marc Deslauriers <email address hidden> Fri, 20 Jun 2014 13:55:11 -0400

Changed in openssl (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1e-3ubuntu1.6

---------------
openssl (1.0.1e-3ubuntu1.6) saucy-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
 -- Marc Deslauriers <email address hidden> Fri, 20 Jun 2014 13:56:05 -0400

Changed in openssl (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.19

---------------
openssl (0.9.8k-7ubuntu8.19) lucid-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
 -- Marc Deslauriers <email address hidden> Fri, 20 Jun 2014 13:59:20 -0400

Changed in openssl (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1f-1ubuntu6

---------------
openssl (1.0.1f-1ubuntu6) utopic; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
 -- Marc Deslauriers <email address hidden> Fri, 20 Jun 2014 13:51:23 -0400

Changed in openssl (Ubuntu Utopic):
status: Confirmed → Fix Released
Robert E. (resans) wrote :

Hello,

This bug was posted as a security issue ("Ubuntu Security Notice USN-2232-3") which has subsequently been opened within my organization as a "High" security problem. As far as I can tell, this is just a functional bug that might cause renegotiations (and subsequent data transfer) to fail in some situations but does not pose a security threat. Can anyone confirm or correct me?

Thanks

Marc Deslauriers (mdeslaur) wrote :

Correct, this is a functional regression that has no security impact.

Robert E. (resans) wrote :

Thanks!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.