[Bug 191799] [patch] openssl - fix regression from CVE-2014-0224 - "ccs received early"

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jan 16 00:47:30 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191799

--- Comment #1 from Andrew Daugherity <andrew.daugherity at gmail.com> ---
Pasting in lost comments from the mailing list archives.  It seems I do not
have permissions to add the people to CC that Xin LI did in #2, so if someone
can redo that, it would be appreciated. 

FYI I browsed the openssl patch that just dropped (FreeBSD-SA-15:01.openssl)
and it appears to be unrelated to this issue (aside from making me buildworld
yet again).
========
--- Comment #1 from Andrew Daugherity <andrew.daugherity at gmail.com> ---
This bug still needs attention -- I have to rebuild libssl locally (with this
patch) after each openssl advisory.

For releng/10.1 it was fixed with the import of openssl 1.0.1i in r269686.  It
has not been fixed for releng/10.0, 9.3, or 8.4 (or 9.1/9.2, but those have
fallen out of support).

Can someone please add the 'patch' and 'regression' keywords (or whatever is
appropriate -- I apparently can't set them myself) so the appropriate people
see it and the patch can be reviewed/committed?  Thanks!


Xin LI <delphij at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |benl at FreeBSD.org,
                   |                            |delphij at FreeBSD.org,
                   |                            |jkim at FreeBSD.org

--- Comment #2 from Xin LI <delphij at FreeBSD.org> ---
(In reply to Andrew Daugherity from comment #1)
The change was superseded later by commit e94a6c0 [1] which looks like needs to
be ported, too?

Adding OpenSSL maintainers for their opinion as well.

[1]
https://github.com/openssl/openssl/commit/e94a6c0ede623960728415b68650a595e48f5a43


--- Comment #3 from Andrew Daugherity <andrew.daugherity at gmail.com> ---
(In reply to Xin LI from comment #2)
Interestingly, that fix was not committed to the upstream OpenSSL_0_9_8-stable
branch.  No idea if that's an oversight or intentional.

If it was correctly omitted, then only FreeBSD 10.x would need the extra fix,
as 8.x and 9.x track 0.9.8 and would only need the original one-line patch.
========

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list