[Pkg-openssl-devel] Bug#645805: Bug#645805: Potential DTLS crasher bug
Moritz Muehlenhoff
jmm at inutil.org
Fri Dec 23 20:20:16 UTC 2011
On Wed, Oct 19, 2011 at 10:54:25PM +0200, Kurt Roeckx wrote:
> found 645805 0.9.8o-4
> thanks
>
> On Tue, Oct 18, 2011 at 08:24:30PM +0200, Florian Weimer wrote:
> > Package: libssl0.9.8
> > Version: 0.9.8o-4squeeze3
> >
> > It seems that there's a remotely triggerable OPENSSL_assert() in the
> > DTLS code:
> >
> > | The reception of incomplete or incorrectly formatted DTLS fragments
> > | is handled with an OPENSSL_assert(), causing the program to exit
> > | rather then just terminating the connection. This patch exchanges
> > | the asserts with unexpected message and illegal parameter alerts.
> >
> > <http://rt.openssl.org/Ticket/Display.html?id=2625&user=guest&pass=guest>
> >
> > I don't know how functional the DTLS code in squeeze is, perhaps it's
> > necessary to fix this there, too.
>
> I'm pretty sure we have people using DTLS in squeeze.
>
> I currently don't have time to deal with this.
Kurt,
Can you fix this in the upcoming stable point update?
Cheers,
Moritz
More information about the Pkg-openssl-devel
mailing list