regression in 1.0.1-4ubuntu5.6 causes connection errors

Bug #1134873 reported by Jason Hildebrand
56
This bug affects 9 people
Affects Status Importance Assigned to Milestone
OpenSSL
Fix Released
Unknown
openssl (Ubuntu)
Fix Released
High
Marc Deslauriers
Precise
Fix Released
High
Marc Deslauriers
Quantal
Fix Released
High
Marc Deslauriers
Raring
Fix Released
High
Marc Deslauriers

Bug Description

In our workplace we have a subversion repository that is accessed via an apache proxy. The proxy runs mod_proxy and uses SSL between the SVN client and the proxy (does not use SSL between the proxy and the actual SVN server) on ubuntu 12.04 LTS 64-bit.

Yesterday some of our developers started getting strange error messages when using SVN, here is an example:
    svn: PROPFIND of '/svn/mike/test-django-tools/trunk/dev-packages': Could not read status line: SSL alert received: Bad record MAC

This error did not occur on every request, but if a particular request failed then it was generally reproducible.

Since nothing in our environment had changed, I checked our unnattended-upgrades logfiles and saw that openssl and libssl had been updated to 1.0.1-4ubuntu5.6 on Feb 22.

After building previous version (1.0.1-4ubuntu5.5) and installing, the problem went away.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Anton Lindstrom (anton+ubuntu) wrote :

This bug also seem to affect the following releases in Ubuntu 10.10:

openssl 1.0.1c-3ubuntu2.1
libssl1.0.0:amd64 1.0.1c-3ubuntu2.1

Revision history for this message
Jan Kellermann (jan-kellermann) wrote :

Same problem here with libapache2-svn w/o mod_proxy on ubuntu 12.04

Changed in openssl (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I believe this only affects openssl 1.0.1. Has anyone seen a similar regression on Ubuntu 8.04, 10.04, or 11.10?

Changed in openssl (Ubuntu Precise):
status: New → Confirmed
Changed in openssl (Ubuntu Quantal):
status: New → Confirmed
Changed in openssl (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
Changed in openssl (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.7

---------------
openssl (1.0.1-4ubuntu5.7) precise-security; urgency=low

  * REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
    LP: #1133333)
    - debian/patches/CVE-2013-0169.patch: disabled for now until fix is
      available from upstream.
 -- Marc Deslauriers <email address hidden> Thu, 28 Feb 2013 11:00:13 -0500

Changed in openssl (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1c-3ubuntu2.2

---------------
openssl (1.0.1c-3ubuntu2.2) quantal-security; urgency=low

  * REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
    LP: #1133333)
    - debian/patches/CVE-2013-0169.patch: disabled for now until fix is
      available from upstream.
 -- Marc Deslauriers <email address hidden> Thu, 28 Feb 2013 10:56:42 -0500

Changed in openssl (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1c-4ubuntu5

---------------
openssl (1.0.1c-4ubuntu5) raring; urgency=low

  * REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
    LP: #1133333)
    - debian/patches/CVE-2013-0169.patch: disabled for now until fix is
      available from upstream.
 -- Marc Deslauriers <email address hidden> Thu, 28 Feb 2013 11:01:29 -0500

Changed in openssl (Ubuntu Raring):
status: Confirmed → Fix Released
Changed in openssl:
status: Unknown → New
Revision history for this message
Jan Kellermann (jan-kellermann) wrote :

On precise we have no problems after the new upgrade. thank you guys for very quick response and work.

Revision history for this message
Anton Lindstrom (anton+ubuntu) wrote :

Validated fixed in Ubuntu 12.10 as well, thanks for the awesome work and quick fix!

Revision history for this message
Mrten (bugzilla-ii) wrote :

I understand the reason for the openssl 1.0.1e release is exactly this corruption.

http://www.openssl.org/source/exp/CHANGES

Can we upgrade to 1.0.1e like debian has?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We already had the changes from 1.0.1e in our security backport, and debian is currently having similar issues with 1.0.1e. See the upstream bug report linked at the top of this bug.

Revision history for this message
Mrten (bugzilla-ii) wrote :

Thanks for clarifying!

For the unsuspecting newcomer: Username/pass for rt.openssl.org is guest/guest.

I had looked at the upstream bug but hit the login-wall and looked no further. This time I googled some more and found http://www.openssl.org/support/rt.html .

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We have updated openssl packages for Precise and Quantal that now re-enable the security fix, along with an extra commit from upstream that should fix the regressions people were seeing. The packages are currently in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages

I would appreciate if you could test these updated packages and report if they work in your specific environment, and don't contain the regression you previously reported.

Thanks.

Revision history for this message
Jason Hildebrand (jason-opensky) wrote :

I have installed it and asked our team to let me know if they see any issues. Last time we didn't notice the regressions for several days after the update, so I recommend you give it some time before considering it stable.

Changed in openssl:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.