touch-packages team mailing list archive

Thread
Date

[Bug 1356843] Re: ccs received early errors after openssl security update

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1356843@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Aug 2014 18:02:00 -0000
Reply-to: Bug 1356843 <1356843@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.21

---------------
openssl (0.9.8k-7ubuntu8.21) lucid-security; urgency=medium

  * SECURITY UPDATE: Properly fix stateless session support (LP: #1356843)
    - fixes regression introduced with fix_renegotiation.patch.
    - debian/patches/fix_stateless_session.patch: added two commits from
      git to properly handle stateless sessions in ssl/s3_srvr.c,
      ssl/ssl_asn1.c, ssl/t1_lib.c.
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Mon, 18 Aug 2014 11:17:08 -0400

** Changed in: openssl (Ubuntu Lucid)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1356843

Title:
  ccs received early errors after openssl security update

Status in “openssl” package in Ubuntu:
  Invalid
Status in “postfix” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Lucid:
  Fix Released
Status in “postfix” source package in Lucid:
  Invalid
Status in “openssl” source package in Precise:
  Invalid
Status in “postfix” source package in Precise:
  Fix Released

Bug description:
  SRU request:

  [Impact]

  The CVE-2014-0224 update for openssl will now reject CCS messages when
  they are received before encryption is negotiated. This has caused an
  issue for certain sites attempting to send mail to Ubuntu 12.04
  servers running postfix. It turns out there is an incompatibility
  between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles
  session ids. This was fixed in Postfix 2.10.2, and the minimal fix is
  included in this debdiff.

  [Test Case]
  Server A = Ubuntu 10.04 with postfix configured to forward mail, ie:

  relayhost = server b's FQDN
  smtp_tls_security_level = encrypt

  Server B = Ubuntu 12.04 with postfix configured to receive mail with
  forced tls:

  smtpd_tls_security_level = encrypt

  Send more than one mail from Server A to Server B, and see if the following error appears in mail.log:
  warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:

  [Regression potential]
  This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions.

  Original description:

  Postfix is causing a TLS error, when relaying mails with TLS encryption:
  warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions

References

[Bug 1356843] [NEW] ccs received early
From: Tim Ritberg, 2014-08-14