Bug 1234801
Summary: | Renegotiation seems partially broken in latest openssl | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Mraz <tmraz> | |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | high | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.2 | CC: | bruno, hkario, jeharris, jherrman, jprokes, ksrot, michele, mschuppe, praiskup, psklenar, qe-baseos-security, tgl, tmraz | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | openssl-1.0.1e-51.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Under certain circumstances, the server-side renegotiation support previously did not work as expected. A PostgreSQL failure of database dumps through TLS connection could occur when the size of the dumped data was larger than the value defined in the ssl_renegotiation_limit setting. The regression that caused this bug has been fixed, and the PostgreSQL database dumps through TLS connection no longer fail in the described situation.
|
Story Points: | --- | |
Clone Of: | 1234487 | |||
: | 1234931 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-20 10:22:08 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1234931 |
Description
Tomas Mraz
2015-06-23 09:36:10 UTC
So our patch for the CVE-2015-1791 is the culprit. In the patch we included changes that depend on additional changes in the s3_clnt.c file and that breaks some cases of renegotiation. We need to fix that urgently. This bug has been closed as CURRENTRELEASE due to delivery of the fix in a z-stream. As the component is not on ACL, the fix is currently included in y-stream as well. For more information please see the zstream process documentation: * https://engineering.redhat.com/trac/ZStream/attachment/wiki/WikiStart/Z-Stream_process_update_4.odp . |