[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Bug Watch Updater]

** Changed in: openssl
   Status: Unknown => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Launchpad Bug Tracker]

This bug was fixed in the package openssl - 1.0.2g-1ubuntu4.4

---
openssl (1.0.2g-1ubuntu4.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Pointer arithmetic undefined behaviour
- debian/patches/CVE-2016-2177.patch: avoid undefined pointer
  arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c.
- CVE-2016-2177
  * SECURITY UPDATE: Constant time flag not preserved in DSA signing
- debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
  crypto/dsa/dsa_ossl.c.
- CVE-2016-2178
  * SECURITY UPDATE: DTLS buffered message DoS
- debian/patches/CVE-2016-2179.patch: fix queue handling in
  ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
  ssl/ssl_locl.h.
- CVE-2016-2179
  * SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
- debian/patches/CVE-2016-2180.patch: fix text handling in
  crypto/ts/ts_lib.c.
- CVE-2016-2180
  * SECURITY UPDATE: DTLS replay protection DoS
- debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
  records in ssl/d1_pkt.c.
- debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
  in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
- debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
- CVE-2016-2181
  * SECURITY UPDATE: OOB write in BN_bn2dec()
- debian/patches/CVE-2016-2182.patch: don't overflow buffer in
  crypto/bn/bn_print.c.
- CVE-2016-2182
  * SECURITY UPDATE: SWEET32 Mitigation
- debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
  to MEDIUM in ssl/s3_lib.c.
- CVE-2016-2183
  * SECURITY UPDATE: Malformed SHA512 ticket DoS
- debian/patches/CVE-2016-6302.patch: sanity check ticket length in
  ssl/t1_lib.c.
- CVE-2016-6302
  * SECURITY UPDATE: OOB write in MDC2_Update()
- debian/patches/CVE-2016-6303.patch: avoid overflow in
  crypto/mdc2/mdc2dgst.c.
- CVE-2016-6303
  * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
- debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
  handshake in ssl/t1_lib.c.
- CVE-2016-6304
  * SECURITY UPDATE: Certificate message OOB reads
- debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
  ssl/s3_srvr.c.
- debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
  larger in ssl/d1_both.c, ssl/s3_both.c.
- CVE-2016-6306

 -- Marc Deslauriers   Thu, 22 Sep 2016
08:22:22 -0400

** Changed in: openssl (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2177

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2178

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2179

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2180

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2181

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2182

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2183

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6302

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6303

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6304

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6306

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Marc Deslauriers]

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

I tested version 1.0.2g-1ubuntu4.3 with the death.c program from the
upstream openssl bug ticket 4559 and confirmed this problem is now
resolved.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Chris J Arges]

Hello Timo, or anyone else affected,

Accepted openssl into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
1ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Also affects: openssl (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: openssl (Ubuntu Xenial)
   Status: New => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Launchpad Bug Tracker]

This bug was fixed in the package openssl - 1.0.2g-1ubuntu8

---
openssl (1.0.2g-1ubuntu8) yakkety; urgency=medium

  * Remove unused FIPS patches for now. (LP: #1594748, LP: #1593953,
LP: #1591797, LP: #1588524)

 -- Marc Deslauriers   Mon, 15 Aug 2016
14:20:42 -0400

** Changed in: openssl (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Dave Chiluk]

For those affected by this in xenial, I have created a PPA with fips
removed from the openssl binaries.

See it here.
https://launchpad.net/~chiluk/+archive/ubuntu/openssl+nofips

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Dave Chiluk]

This needs to be resolved in Xenial as well.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Investigating.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Dave Chiluk]

@Joy

It looks like the upstream bug has been rejected.  Do you know what the
resolution for this issue was?  Can you work with upstream to figure out
what's going on?

Thanks,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Dave Chiluk]

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openssl (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Just as a note, the fips mode is not enabled in 1.0.2g-1ubuntu4.1. But
OPENSSL_FIPS is defined and its codes compiled in. Thus in
OPENSSL_init_library(), the RAND_init_fips() is included in.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Waiting to see upstream commit/fix for this since this is an issue in
the upstream openssl code when OPENSSL_FIPS is defined.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

** Also affects: openssl via
   http://rt.openssl.org/Ticket/Display.html?id=4559
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Ok, this is also "broken" or an issue in upstream openssl 1.0.2 when 
OPENSSL_FIPS is defined. 
See, https://rt.openssl.org/Ticket/Display.html?id=4559#txn-68189 or
http://rt.openssl.org/Ticket/Display.html?id=4559

** Bug watch added: OpenSSL RT #4559
   http://rt.openssl.org/Ticket/Display.html?id=4559

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Looking into this...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Marc Deslauriers]

** Changed in: openssl (Ubuntu)
 Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs