Re: [SECURITY] [DSA 2950-1] openssl security update

To: jmm@debian.org
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 2950-1] openssl security update
From: Florian Zumbiehl <florz@florz.de>
Date: Thu, 5 Jun 2014 16:46:35 +0200
Message-id: <[🔎] 20140605144635.GA12436@florz.florz.dyndns.org>
In-reply-to: <20140605115134.GA2278@pisco.westfalen.local>
References: <20140605115134.GA2278@pisco.westfalen.local>

Hi,

> Package        : openssl
> CVE ID         : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470

is it intentional that you didn't fix CVE-2014-0198 and CVE-2010-5298?

The OpenSSL advisory is quite misleading with this:

| where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and
| not common.

SSL_MODE_RELEASE_BUFFERS is just an option one can enable at runtime using
SSL_CTX_set_mode() or SSL_set_mode() which happens to not be enabled by
default when you instantiate an SSL context or connection object, but is
not all that uncommon to be used for scalability purposes. Apache 2.4, for
example, has code to enable it (don't know exactly when it was merged, but
the version in wheezy seems to not have it yet) if you set MaxMemFree to
some non-zero value (zero being the default), nginx seems to enable it
unconditionally, even in the wheezy version, and I suspect there are more.

Regards, Florian

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 2950-1] openssl security update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: [SECURITY] [DSA 2949-1] linux security update
Next by Date: Re: [SECURITY] [DSA 2950-1] openssl security update
Previous by thread: Re: [SECURITY] [DSA 2949-1] linux security update
Next by thread: Re: [SECURITY] [DSA 2950-1] openssl security update
Index(es):
- Date
- Thread