Hi Kurt, On Fri, Jan 16, 2015 at 06:43:36PM +0100, Kurt Roeckx wrote: > On Fri, Jan 16, 2015 at 04:17:59PM +0300, Andrey Semashev wrote: > > Package: openssl > > Version: 1.0.1e-2+deb7u14 > > Severity: important > > > > Dear Maintainer, > > > > I have an application which uses libwebrtc to communicate with third party > > WebRTC clients, which are mostly Chrome and Firefox browsers. > > libwebrtc used in my application is compiled with openssl support to > > implement DTLS encryption while Chrome and Firefox, I believe, use libnss. > > > > After the 1.0.1e-2+deb7u14 update my application fails to connect to the > > browsers. According to logs, DTLS handshake never completes and times out. > > > > Through experimenting I found out that the problem is with the patch for > > CVE-2014-3571 > > (0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch). > > If I rebuild the package without that patch the application starts > > connecting again. It also works with 1.0.1e-2+deb7u13. > > There is an upstream bug report about the patch for CVE-2014-0206 > breaking it. Are you sure it's the right patch? > > The fix for that issue was to use SSL_CTX_set_read_ahead() setting > it to 1. Can you check that fixes it for you?
Just to avoid confusion, I guess it is CVE-2015-0206, since CVE-2014-0206 was for linux. Is it this bug you are refering to: https://rt.openssl.org/Ticket/Display.html?id=3657 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
