<div><br/>
<br/>
Thanks Michael! I suspect that we will see 2.2.2d in one of the upcoming releases from Oracle. While I would prefer to ship wheezy with no known security bugs, I don't have much time to build and test a new package. If someone else wants to do that I will gladly sponsor it.<br/><br/>-----Original Message-----<br/>From: Michael Stapelberg <stapelberg@debian.org><br/>To: Thijs Kinkhorst <thijs@debian.org>, 699886@bugs.debian.org, control@bugs.debian.org<br/>Sent: Wed, 27 Mar 2013 3:09<br/>Subject: [debian-mysql] Bug#699886: TLS timing attack in yaSSL (Lucky 13)<br/><br/></div>Control: tags -1 +patch <br/>
<br/>
Hi Thijs, <br/>
<br/>
Thijs Kinkhorst <<a href="mailto:thijs@debian.org">thijs@debian.org</a>> writes: <br/>
> Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling <br/>
> of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing <br/>
> differences arising during MAC processing. Details of this attack can be <br/>
> found at: <a href="http://www.isg.rhul.ac.uk/tls">http://www.isg.rhul.ac.uk/tls</a>/ <br/>
> <br/>
> The issue has been fixed in upstream yaSSL 2.5.0: <br/>
> <a href="http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html">http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html</a> <br/>
Currently, MySQL uses yaSSL 2.2.2. yaSSL has released version 2.2.2d <br/>
which addresses this problem. <br/>
<br/>
I downloaded yassl-2.2.2.zip from <br/>
<a href="http://fossies.org/unix/privat/yassl-2.2.2.zip">http://fossies.org/unix/privat/yassl-2.2.2.zip</a> and yassl-2.2.2d.zip from <br/>
<a href="http://yassl.com/yaSSL/download">http://yassl.com/yaSSL/download</a> <br/>
<br/>
I then created a git repo in 2.2.2 and copied over the files from <br/>
2.2.2d. The following files differ: <br/>
<br/>
$ git status | grep 'modified' | grep -v '\.in$' | grep -v '\(INSTALL\|README\|aclocal.m4\|config.guess\|config.sub\|configure\|depcomp\|install-sh\|<a href="http://ltmain.sh">ltmain.sh</a>\|missing\|mkinstalldirs\)' <br/>
# modified:   include/openssl/ssl.h <br/>
# modified:   include/yassl_error.hpp <br/>
# modified:   include/yassl_types.hpp <br/>
# modified:   src/handshake.cpp <br/>
# modified:   src/yassl_error.cpp <br/>
# modified:   src/yassl_imp.cpp <br/>
# modified:   taocrypt/include/asn.hpp <br/>
# modified:   taocrypt/include/sha.hpp <br/>
# modified:   taocrypt/src/asn.cpp <br/>
<br/>
I then created a patch and modified it so that it (somewhat) applies to <br/>
the MySQL source: <br/>
<br/>
git diff include/openssl/ssl.h include/yassl_error.hpp include/yassl_types.hpp src/handshake.cpp src/yassl_error.cpp src/yassl_imp.cpp taocrypt/include/asn.hpp taocrypt/include/sha.hpp taocrypt/src/asn.cpp > yassl.patch <br/>
sed -i 's,\([iw]\)/,\1/extra/yassl/,g' yassl.patch <br/>
dos2unix yassl.patch <br/>
<br/>
Then, I used quilt to get the patch in shape: <br/>
<br/>
cd /tmp/mysql-<a href="tel:555530">5.5-5.5.30</a>+dfsg <br/>
export QUILT_PATCHES=debian/patches <br/>
quilt import ../yassl-2.2.2/yassl.patch <br/>
quilt push -f <br/>
# apply 4 hunks of the patch manually <br/>
quilt refresh <br/>
<br/>
I attached the result to this email, hopefully that helps. <br/>
Note that I didn’t compile and test MySQL. <br/>
<br/>
--  <br/>
Best regards, <br/>
Michael <br/>