Copied from
ubuntu trusty in
Private PPA for Ubuntu Security Team
by Ubuntu Archive Robot
Changelog
openssl098 (0.9.8o-7ubuntu3.2.14.04.1) trusty-security; urgency=medium
[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
(LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
ssl/s3_clnt.c.
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
sending finished ssl/s3_clnt.c.
- CVE-2014-0224
* SECURITY UPDATE: denial of service via DTLS recursion flaw
- debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
recursion in ssl/d1_both.c.
- CVE-2014-0221
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/CVE-2013-0166.patch: properly handle NULL key in
crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: denial of service attack in DTLS implementation
- debian/patches/CVE_2012-2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
- debian/patches/CVE-2012-0884.patch: use a random key if RSA
decryption fails to avoid leaking timing information
- debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
errors in PKCS7_decrypt and initialize tkeylen properly when
encrypting CMS messages.
- CVE-2012-0884
[ Marc Deslauriers ]
* debian/patches/rehash_pod.patch: updated to fix FTBFS.
* debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.
-- Marc Deslauriers <email address hidden> Wed, 02 Jul 2014 09:13:28 -0400