diff -u openssl-0.9.8k/debian/changelog openssl-0.9.8k/debian/changelog --- openssl-0.9.8k/debian/changelog +++ openssl-0.9.8k/debian/changelog @@ -1,3 +1,11 @@ +openssl (0.9.8k-7ubuntu8.19) lucid-security; urgency=medium + + * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643) + - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after + sending finished ssl/s3_clnt.c. + + -- Marc Deslauriers Fri, 20 Jun 2014 13:59:20 -0400 + openssl (0.9.8k-7ubuntu8.18) lucid-security; urgency=medium * SECURITY UPDATE: MITM via change cipher spec diff -u openssl-0.9.8k/debian/patches/series openssl-0.9.8k/debian/patches/series --- openssl-0.9.8k/debian/patches/series +++ openssl-0.9.8k/debian/patches/series @@ -66,0 +67 @@ +CVE-2014-0224-regression2.patch only in patch2: unchanged: --- openssl-0.9.8k.orig/debian/patches/CVE-2014-0224-regression2.patch +++ openssl-0.9.8k/debian/patches/CVE-2014-0224-regression2.patch @@ -0,0 +1,27 @@ +From 70d923fb0359ed68e59b8c59d1687ebff6f8d952 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Sat, 14 Jun 2014 22:24:08 +0100 +Subject: [PATCH] Accept CCS after sending finished. + +Allow CCS after finished has been sent by client: at this point +keys have been correctly set up so it is OK to accept CCS from +server. Without this renegotiation can sometimes fail. + +PR#3400 +(cherry picked from commit 99cd6a91fcb0931feaebbb4832681d40a66fad41) +--- + ssl/s3_clnt.c | 1 + + 1 file changed, 1 insertion(+) + +Index: openssl-0.9.8k/ssl/s3_clnt.c +=================================================================== +--- openssl-0.9.8k.orig/ssl/s3_clnt.c 2014-06-20 13:58:38.875773758 -0400 ++++ openssl-0.9.8k/ssl/s3_clnt.c 2014-06-20 13:58:38.859773758 -0400 +@@ -435,6 +435,7 @@ + s->method->ssl3_enc->client_finished_label, + s->method->ssl3_enc->client_finished_label_len); + if (ret <= 0) goto end; ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->state=SSL3_ST_CW_FLUSH; + + /* clear flags */