Change log for openssl package in Ubuntu
| 1 → 75 of 308 results | First • Previous • Next • Last |
openssl (1.0.2g-1ubuntu4.10) xenial-security; urgency=medium
* SECURITY UPDATE: Read/write after SSL object in error state
- debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*,
add to test/Makefile.
- debian/patches/CVE-2017-3737-1.patch: don't allow read/write after
fatal error in ssl/ssl.h.
- debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile,
ssl/fatalerrtest.c, test/Makefile.
- CVE-2017-3737
* SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64
- debian/patches/CVE-2017-3738.patch: fix digit correction bug in
crypto/bn/asm/rsaz-avx2.pl.
- CVE-2017-3738
-- Marc Deslauriers <email address hidden> Thu, 07 Dec 2017 13:17:37 -0500
Available diffs
openssl (1.0.2g-1ubuntu13.3) artful-security; urgency=medium
* SECURITY UPDATE: Read/write after SSL object in error state
- debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*,
add to test/Makefile.
- debian/patches/CVE-2017-3737-1.patch: don't allow read/write after
fatal error in ssl/ssl.h.
- debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile,
ssl/fatalerrtest.c, test/Makefile.
- CVE-2017-3737
* SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64
- debian/patches/CVE-2017-3738.patch: fix digit correction bug in
crypto/bn/asm/rsaz-avx2.pl.
- CVE-2017-3738
-- Marc Deslauriers <email address hidden> Thu, 07 Dec 2017 13:16:22 -0500
Available diffs
openssl (1.0.2g-1ubuntu11.4) zesty-security; urgency=medium
* SECURITY UPDATE: Read/write after SSL object in error state
- debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*,
add to test/Makefile.
- debian/patches/CVE-2017-3737-1.patch: don't allow read/write after
fatal error in ssl/ssl.h.
- debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile,
ssl/fatalerrtest.c, test/Makefile.
- CVE-2017-3737
* SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64
- debian/patches/CVE-2017-3738.patch: fix digit correction bug in
crypto/bn/asm/rsaz-avx2.pl.
- CVE-2017-3738
-- Marc Deslauriers <email address hidden> Thu, 07 Dec 2017 13:16:57 -0500
Available diffs
| Published in bionic-proposed on 2017-12-07 |
openssl (1.0.2g-1ubuntu15) bionic; urgency=medium
* SECURITY UPDATE: Read/write after SSL object in error state
- debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*,
add to test/Makefile.
- debian/patches/CVE-2017-3737-1.patch: don't allow read/write after
fatal error in ssl/ssl.h.
- debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile,
ssl/fatalerrtest.c, test/Makefile.
- CVE-2017-3737
* SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64
- debian/patches/CVE-2017-3738.patch: fix digit correction bug in
crypto/bn/asm/rsaz-avx2.pl.
- CVE-2017-3738
-- Marc Deslauriers <email address hidden> Thu, 07 Dec 2017 13:13:10 -0500
Available diffs
openssl (1.0.2g-1ubuntu14) bionic; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
* SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64
- debian/patches/CVE-2017-3736.patch: fix carry bug in
bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3736
* debian/patches/fix_armhf_ftbfs.patch: fix build with gcc-7.2 on armhf.
(LP: #1729850)
-- Marc Deslauriers <email address hidden> Mon, 06 Nov 2017 07:56:00 -0500
Available diffs
openssl (1.0.2g-1ubuntu13.2) artful-security; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
* SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64
- debian/patches/CVE-2017-3736.patch: fix carry bug in
bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3736
* debian/patches/fix_armhf_ftbfs.patch: fix build with gcc-7.2 on armhf.
(LP: #1729850)
-- Marc Deslauriers <email address hidden> Mon, 06 Nov 2017 07:56:00 -0500
Available diffs
openssl (1.0.1f-1ubuntu2.23) trusty-security; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
-- Marc Deslauriers <email address hidden> Thu, 02 Nov 2017 11:30:53 -0400
Available diffs
openssl (1.0.2g-1ubuntu4.9) xenial-security; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
* SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64
- debian/patches/CVE-2017-3736.patch: fix carry bug in
bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3736
-- Marc Deslauriers <email address hidden> Thu, 02 Nov 2017 11:28:46 -0400
Available diffs
openssl (1.0.2g-1ubuntu11.3) zesty-security; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
* SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64
- debian/patches/CVE-2017-3736.patch: fix carry bug in
bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3736
-- Marc Deslauriers <email address hidden> Thu, 02 Nov 2017 11:28:12 -0400
Available diffs
| Superseded in zesty-updates on 2017-11-06 |
| Deleted in zesty-proposed on 2017-11-08 (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu11.2) zesty; urgency=medium
* aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
(LP: #1674399)
-- William Grant <email address hidden> Fri, 19 May 2017 18:29:44 +1000
Available diffs
openssl (1.0.2g-1ubuntu9.3) yakkety; urgency=medium
* aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
(LP: #1674399)
-- William Grant <email address hidden> Fri, 19 May 2017 18:25:11 +1000
Available diffs
| Superseded in xenial-updates on 2017-11-06 |
| Deleted in xenial-proposed on 2017-11-08 (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu4.8) xenial; urgency=medium
* aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
(LP: #1674399)
-- William Grant <email address hidden> Fri, 19 May 2017 18:27:58 +1000
Available diffs
| Superseded in bionic-release on 2017-12-04 |
| Published in artful-release on 2017-05-26 |
| Deleted in artful-proposed (Reason: moved to release) |
openssl (1.0.2g-1ubuntu13) artful; urgency=medium
* aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
(LP: #1674399)
-- William Grant <email address hidden> Fri, 19 May 2017 18:31:50 +1000
Available diffs
- diff from 1.0.2g-1ubuntu12 to 1.0.2g-1ubuntu13 (835 bytes)
| Superseded in xenial-proposed on 2017-05-19 |
openssl (1.0.2g-1ubuntu4.7) xenial; urgency=medium * crypto/x86*cpuid.pl: move extended feature detection. (LP: #1674399) This fix moves extended feature detection past basic feature detection where it belongs. 32-bit counterpart is harmonized too. -- Eric Desrochers <email address hidden> Wed, 26 Apr 2017 09:08:02 -0400
Available diffs
| Superseded in zesty-proposed on 2017-05-19 |
openssl (1.0.2g-1ubuntu11.1) zesty; urgency=medium * crypto/x86*cpuid.pl: move extended feature detection. (LP: #1674399) This fix moves extended feature detection past basic feature detection where it belongs. 32-bit counterpart is harmonized too. -- Eric Desrochers <email address hidden> Thu, 27 Apr 2017 20:36:21 -0400
Available diffs
| Superseded in yakkety-proposed on 2017-05-19 |
openssl (1.0.2g-1ubuntu9.2) yakkety; urgency=medium * crypto/x86*cpuid.pl: move extended feature detection. (LP: #1674399) This fix moves extended feature detection past basic feature detection where it belongs. 32-bit counterpart is harmonized too. -- Eric Desrochers <email address hidden> Thu, 27 Apr 2017 21:38:36 -0400
Available diffs
| Superseded in artful-release on 2017-05-26 |
| Deleted in artful-proposed on 2017-05-28 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu12) artful; urgency=medium * crypto/x86*cpuid.pl: move extended feature detection. (LP: #1674399) This fix moves extended feature detection past basic feature detection where it belongs. 32-bit counterpart is harmonized too. -- Eric Desrochers <email address hidden> Tue, 25 Apr 2017 18:16:18 -0400
Available diffs
openssl (1.0.1f-1ubuntu2.22) trusty-security; urgency=medium
* SECURITY UPDATE: Pointer arithmetic undefined behaviour
- debian/patches/CVE-2016-2177-pre.patch: check for ClientHello message
overruns in ssl/s3_srvr.c.
- debian/patches/CVE-2016-2177-pre2.patch: validate ClientHello
extension field length in ssl/t1_lib.c.
- debian/patches/CVE-2016-2177-pre3.patch: pass in a limit rather than
calculate it in ssl/s3_srvr.c, ssl/ssl_locl.h, ssl/t1_lib.c.
- debian/patches/CVE-2016-2177.patch: avoid undefined pointer
arithmetic in ssl/s3_srvr.c, ssl/t1_lib.c,
- CVE-2016-2177
* SECURITY UPDATE: ECDSA P-256 timing attack key recovery
- debian/patches/CVE-2016-7056.patch: use BN_mod_exp_mont_consttime in
crypto/ec/ec.h, crypto/ec/ec_lcl.h, crypto/ec/ec_lib.c,
crypto/ecdsa/ecs_ossl.c.
- CVE-2016-7056
* SECURITY UPDATE: DoS via warning alerts
- debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
ssl/ssl_locl.h.
- debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
type is received in ssl/s3_pkt.c.
- CVE-2016-8610
* SECURITY UPDATE: Truncated packet could crash via OOB read
- debian/patches/CVE-2017-3731-pre.patch: sanity check
EVP_CTRL_AEAD_TLS_AAD in crypto/evp/e_aes.c,
crypto/evp/e_aes_cbc_hmac_sha1.c, crypto/evp/e_rc4_hmac_md5.c,
crypto/evp/evp.h, ssl/t1_enc.c.
- debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
crypto/evp/e_rc4_hmac_md5.c.
- CVE-2017-3731
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2017 11:38:06 -0500
Available diffs
openssl (1.0.1-4ubuntu5.39) precise-security; urgency=medium
* SECURITY UPDATE: Pointer arithmetic undefined behaviour
- debian/patches/CVE-2016-2177-pre.patch: check for ClientHello message
overruns in ssl/s3_srvr.c.
- debian/patches/CVE-2016-2177-pre2.patch: validate ClientHello
extension field length in ssl/t1_lib.c.
- debian/patches/CVE-2016-2177-pre3.patch: pass in a limit rather than
calculate it in ssl/s3_srvr.c, ssl/ssl_locl.h, ssl/t1_lib.c.
- debian/patches/CVE-2016-2177.patch: avoid undefined pointer
arithmetic in ssl/s3_srvr.c, ssl/t1_lib.c,
- CVE-2016-2177
* SECURITY UPDATE: ECDSA P-256 timing attack key recovery
- debian/patches/CVE-2016-7056.patch: use BN_mod_exp_mont_consttime in
crypto/ec/ec.h, crypto/ec/ec_lcl.h, crypto/ec/ec_lib.c,
crypto/ecdsa/ecs_ossl.c.
- CVE-2016-7056
* SECURITY UPDATE: DoS via warning alerts
- debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
ssl/ssl_locl.h.
- debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
type is received in ssl/s3_pkt.c.
- CVE-2016-8610
* SECURITY UPDATE: Truncated packet could crash via OOB read
- debian/patches/CVE-2017-3731-pre.patch: sanity check
EVP_CTRL_AEAD_TLS_AAD in crypto/evp/e_aes.c,
crypto/evp/e_aes_cbc_hmac_sha1.c, crypto/evp/e_rc4_hmac_md5.c,
crypto/evp/evp.h, ssl/t1_enc.c.
- debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
crypto/evp/e_rc4_hmac_md5.c.
- CVE-2017-3731
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2017 14:30:36 -0500
Available diffs
openssl (1.0.2g-1ubuntu4.6) xenial-security; urgency=medium
* SECURITY UPDATE: Montgomery multiplication may produce incorrect
results
- debian/patches/CVE-2016-7055.patch: fix logic in
crypto/bn/asm/x86_64-mont.pl.
- CVE-2016-7055
* SECURITY UPDATE: DoS via warning alerts
- debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
ssl/ssl_locl.h.
- debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
type is received in ssl/s3_pkt.c.
- CVE-2016-8610
* SECURITY UPDATE: Truncated packet could crash via OOB read
- debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
crypto/evp/e_rc4_hmac_md5.c.
- CVE-2017-3731
* SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64
- debian/patches/CVE-2017-3732.patch: fix carry bug in
bn_sqr8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3732
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2017 10:31:12 -0500
Available diffs
openssl (1.0.2g-1ubuntu9.1) yakkety-security; urgency=medium
* SECURITY UPDATE: Montgomery multiplication may produce incorrect
results
- debian/patches/CVE-2016-7055.patch: fix logic in
crypto/bn/asm/x86_64-mont.pl.
- CVE-2016-7055
* SECURITY UPDATE: DoS via warning alerts
- debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
ssl/ssl_locl.h.
- debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
type is received in ssl/s3_pkt.c.
- CVE-2016-8610
* SECURITY UPDATE: Truncated packet could crash via OOB read
- debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
crypto/evp/e_rc4_hmac_md5.c.
- CVE-2017-3731
* SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64
- debian/patches/CVE-2017-3732.patch: fix carry bug in
bn_sqr8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3732
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2017 09:55:10 -0500
Available diffs
| Superseded in artful-release on 2017-04-27 |
| Published in zesty-release on 2017-02-16 |
| Deleted in zesty-proposed (Reason: moved to release) |
openssl (1.0.2g-1ubuntu11) zesty; urgency=medium
* SECURITY UPDATE: Montgomery multiplication may produce incorrect
results
- debian/patches/CVE-2016-7055.patch: fix logic in
crypto/bn/asm/x86_64-mont.pl.
- CVE-2016-7055
* SECURITY UPDATE: DoS via warning alerts
- debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
ssl/ssl_locl.h.
- debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
type is received in ssl/s3_pkt.c.
- CVE-2016-8610
* SECURITY UPDATE: Truncated packet could crash via OOB read
- debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
crypto/evp/e_rc4_hmac_md5.c.
- CVE-2017-3731
* SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64
- debian/patches/CVE-2017-3732.patch: fix carry bug in
bn_sqr8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3732
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2017 09:00:43 -0500
Available diffs
| Superseded in zesty-release on 2017-02-16 |
| Deleted in zesty-proposed on 2017-02-18 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu10) zesty; urgency=medium * Provide libssl1.0-dev metapackage to satisfy dep-waits. -- Dimitri John Ledkov <email address hidden> Thu, 10 Nov 2016 17:26:33 +0000
Available diffs
- diff from 1.0.2g-1ubuntu9 to 1.0.2g-1ubuntu10 (698 bytes)
| Superseded in zesty-release on 2016-11-11 |
| Published in yakkety-release on 2016-09-28 |
| Deleted in yakkety-proposed (Reason: moved to release) |
openssl (1.0.2g-1ubuntu9) yakkety; urgency=medium
* SECURITY UPDATE: Pointer arithmetic undefined behaviour
- debian/patches/CVE-2016-2177.patch: avoid undefined pointer
arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c.
- CVE-2016-2177
* SECURITY UPDATE: Constant time flag not preserved in DSA signing
- debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
crypto/dsa/dsa_ossl.c.
- CVE-2016-2178
* SECURITY UPDATE: DTLS buffered message DoS
- debian/patches/CVE-2016-2179.patch: fix queue handling in
ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
ssl/ssl_locl.h.
- CVE-2016-2179
* SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
- debian/patches/CVE-2016-2180.patch: fix text handling in
crypto/ts/ts_lib.c.
- CVE-2016-2180
* SECURITY UPDATE: DTLS replay protection DoS
- debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
records in ssl/d1_pkt.c.
- debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
- debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
- CVE-2016-2181
* SECURITY UPDATE: OOB write in BN_bn2dec()
- debian/patches/CVE-2016-2182.patch: don't overflow buffer in
crypto/bn/bn_print.c.
- debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
check in crypto/bn/bn_print.c.
- CVE-2016-2182
* SECURITY UPDATE: SWEET32 Mitigation
- debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
to MEDIUM in ssl/s3_lib.c.
- CVE-2016-2183
* SECURITY UPDATE: Malformed SHA512 ticket DoS
- debian/patches/CVE-2016-6302.patch: sanity check ticket length in
ssl/t1_lib.c.
- CVE-2016-6302
* SECURITY UPDATE: OOB write in MDC2_Update()
- debian/patches/CVE-2016-6303.patch: avoid overflow in
crypto/mdc2/mdc2dgst.c.
- CVE-2016-6303
* SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
- debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
handshake in ssl/t1_lib.c.
- CVE-2016-6304
* SECURITY UPDATE: Certificate message OOB reads
- debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
ssl/s3_srvr.c.
- debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
larger in ssl/d1_both.c, ssl/s3_both.c.
- CVE-2016-6306
-- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 11:00:22 -0400
Available diffs
- diff from 1.0.2g-1ubuntu8 to 1.0.2g-1ubuntu9 (15.1 KiB)
openssl (1.0.1-4ubuntu5.38) precise-security; urgency=medium * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883) - debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow check in crypto/bn/bn_print.c. -- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 07:59:32 -0400
Available diffs
openssl (1.0.2g-1ubuntu4.5) xenial-security; urgency=medium * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883) - debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow check in crypto/bn/bn_print.c. -- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 08:00:13 -0400
Available diffs
openssl (1.0.1f-1ubuntu2.21) trusty-security; urgency=medium * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883) - debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow check in crypto/bn/bn_print.c. -- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 07:57:00 -0400
Available diffs
openssl (1.0.1f-1ubuntu2.20) trusty-security; urgency=medium
* SECURITY UPDATE: Constant time flag not preserved in DSA signing
- debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
crypto/dsa/dsa_ossl.c.
- CVE-2016-2178
* SECURITY UPDATE: DTLS buffered message DoS
- debian/patches/CVE-2016-2179.patch: fix queue handling in
ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
ssl/ssl_locl.h.
- CVE-2016-2179
* SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
- debian/patches/CVE-2016-2180.patch: fix text handling in
crypto/ts/ts_lib.c.
- CVE-2016-2180
* SECURITY UPDATE: DTLS replay protection DoS
- debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
records in ssl/d1_pkt.c.
- debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
- debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
- CVE-2016-2181
* SECURITY UPDATE: OOB write in BN_bn2dec()
- debian/patches/CVE-2016-2182.patch: don't overflow buffer in
crypto/bn/bn_print.c.
- CVE-2016-2182
* SECURITY UPDATE: SWEET32 Mitigation
- debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
to MEDIUM in ssl/s3_lib.c.
- CVE-2016-2183
* SECURITY UPDATE: Malformed SHA512 ticket DoS
- debian/patches/CVE-2016-6302.patch: sanity check ticket length in
ssl/t1_lib.c.
- CVE-2016-6302
* SECURITY UPDATE: OOB write in MDC2_Update()
- debian/patches/CVE-2016-6303.patch: avoid overflow in
crypto/mdc2/mdc2dgst.c.
- CVE-2016-6303
* SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
- debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
handshake in ssl/t1_lib.c.
- CVE-2016-6304
* SECURITY UPDATE: Certificate message OOB reads
- debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
ssl/s3_srvr.c.
- debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
larger in ssl/d1_both.c, ssl/s3_both.c.
- CVE-2016-6306
* SECURITY REGRESSION: DTLS regression (LP: #1622500)
- debian/patches/CVE-2014-3571-3.patch: make DTLS always act as if
read_ahead is set in ssl/s3_pkt.c.
* debian/patches/update-expired-smime-test-certs.patch: Update test
certificates that have expired and caused build test failures.
-- Marc Deslauriers <email address hidden> Thu, 22 Sep 2016 13:38:15 -0400
Available diffs
openssl (1.0.1-4ubuntu5.37) precise-security; urgency=medium
* SECURITY UPDATE: Constant time flag not preserved in DSA signing
- debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
crypto/dsa/dsa_ossl.c.
- CVE-2016-2178
* SECURITY UPDATE: DTLS buffered message DoS
- debian/patches/CVE-2016-2179.patch: fix queue handling in
ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
ssl/ssl_locl.h.
- CVE-2016-2179
* SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
- debian/patches/CVE-2016-2180.patch: fix text handling in
crypto/ts/ts_lib.c.
- CVE-2016-2180
* SECURITY UPDATE: DTLS replay protection DoS
- debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
records in ssl/d1_pkt.c.
- debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
- debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
- CVE-2016-2181
* SECURITY UPDATE: OOB write in BN_bn2dec()
- debian/patches/CVE-2016-2182.patch: don't overflow buffer in
crypto/bn/bn_print.c.
- CVE-2016-2182
* SECURITY UPDATE: SWEET32 Mitigation
- debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
to MEDIUM in ssl/s3_lib.c.
- CVE-2016-2183
* SECURITY UPDATE: Malformed SHA512 ticket DoS
- debian/patches/CVE-2016-6302.patch: sanity check ticket length in
ssl/t1_lib.c.
- CVE-2016-6302
* SECURITY UPDATE: OOB write in MDC2_Update()
- debian/patches/CVE-2016-6303.patch: avoid overflow in
crypto/mdc2/mdc2dgst.c.
- CVE-2016-6303
* SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
- debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
handshake in ssl/t1_lib.c.
- CVE-2016-6304
* SECURITY UPDATE: Certificate message OOB reads
- debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
ssl/s3_srvr.c.
- debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
larger in ssl/d1_both.c, ssl/s3_both.c.
- CVE-2016-6306
* SECURITY REGRESSION: DTLS regression (LP: #1622500)
- debian/patches/CVE-2014-3571-3.patch: make DTLS always act as if
read_ahead is set in ssl/s3_pkt.c.
* debian/patches/update-expired-smime-test-certs.patch: Update test
certificates that have expired and caused build test failures.
-- Marc Deslauriers <email address hidden> Thu, 22 Sep 2016 13:39:47 -0400
Available diffs
openssl (1.0.2g-1ubuntu4.4) xenial-security; urgency=medium
* SECURITY UPDATE: Pointer arithmetic undefined behaviour
- debian/patches/CVE-2016-2177.patch: avoid undefined pointer
arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c.
- CVE-2016-2177
* SECURITY UPDATE: Constant time flag not preserved in DSA signing
- debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
crypto/dsa/dsa_ossl.c.
- CVE-2016-2178
* SECURITY UPDATE: DTLS buffered message DoS
- debian/patches/CVE-2016-2179.patch: fix queue handling in
ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
ssl/ssl_locl.h.
- CVE-2016-2179
* SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
- debian/patches/CVE-2016-2180.patch: fix text handling in
crypto/ts/ts_lib.c.
- CVE-2016-2180
* SECURITY UPDATE: DTLS replay protection DoS
- debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
records in ssl/d1_pkt.c.
- debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
- debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
- CVE-2016-2181
* SECURITY UPDATE: OOB write in BN_bn2dec()
- debian/patches/CVE-2016-2182.patch: don't overflow buffer in
crypto/bn/bn_print.c.
- CVE-2016-2182
* SECURITY UPDATE: SWEET32 Mitigation
- debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
to MEDIUM in ssl/s3_lib.c.
- CVE-2016-2183
* SECURITY UPDATE: Malformed SHA512 ticket DoS
- debian/patches/CVE-2016-6302.patch: sanity check ticket length in
ssl/t1_lib.c.
- CVE-2016-6302
* SECURITY UPDATE: OOB write in MDC2_Update()
- debian/patches/CVE-2016-6303.patch: avoid overflow in
crypto/mdc2/mdc2dgst.c.
- CVE-2016-6303
* SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
- debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
handshake in ssl/t1_lib.c.
- CVE-2016-6304
* SECURITY UPDATE: Certificate message OOB reads
- debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
ssl/s3_srvr.c.
- debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
larger in ssl/d1_both.c, ssl/s3_both.c.
- CVE-2016-6306
-- Marc Deslauriers <email address hidden> Thu, 22 Sep 2016 08:22:22 -0400
Available diffs
| Deleted in xenial-proposed on 2016-09-24 (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu4.3) xenial; urgency=medium * Remove incomplete FIPS patches for now. (LP: #1614210) (related bugs: LP: #1594748, LP: #1593953, LP: #1591797, LP: #1588524) - debian/patches/*fips*.patch: removed. - debian/rules: removed fips from CONFARGS. -- Marc Deslauriers <email address hidden> Fri, 19 Aug 2016 13:03:55 -0400
Available diffs
- diff from 1.0.2g-1ubuntu4.2 to 1.0.2g-1ubuntu4.3 (150.0 KiB)
| Superseded in yakkety-release on 2016-09-28 |
| Deleted in yakkety-proposed on 2016-09-29 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu8) yakkety; urgency=medium * Remove unused FIPS patches for now. (LP: #1594748, LP: #1593953, LP: #1591797, LP: #1588524) -- Marc Deslauriers <email address hidden> Mon, 15 Aug 2016 14:20:42 -0400
Available diffs
- diff from 1.0.2g-1ubuntu7 to 1.0.2g-1ubuntu8 (149.9 KiB)
| Superseded in xenial-updates on 2016-09-22 |
| Deleted in xenial-proposed on 2016-09-24 (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu4.2) xenial; urgency=medium
* Cherry-pick s390x assembly pack bugfix to cache capability query
results for improved performance. LP: #1601836.
* Enable asm optimisations on s390x. LP: #1602655.
-- Dimitri John Ledkov <email address hidden> Thu, 28 Jul 2016 15:37:07 +0300
Available diffs
| Superseded in yakkety-release on 2016-08-22 |
| Deleted in yakkety-proposed on 2016-08-23 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu7) yakkety; urgency=medium
* Cherry-pick s390x assembly pack bugfix to cache capability query
results for improved performance. LP: #1601836.
-- Dimitri John Ledkov <email address hidden> Mon, 01 Aug 2016 16:58:01 +0100
Available diffs
| Superseded in yakkety-release on 2016-08-02 |
| Deleted in yakkety-proposed on 2016-08-03 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu6) yakkety; urgency=medium * Enable asm optimisations on s390x. LP: #1602655. -- Dimitri John Ledkov <email address hidden> Thu, 28 Jul 2016 15:37:07 +0300
Available diffs
| Superseded in yakkety-release on 2016-08-01 |
| Deleted in yakkety-proposed on 2016-08-02 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu5) yakkety; urgency=medium
* SECURITY UPDATE: EVP_EncodeUpdate overflow
- debian/patches/CVE-2016-2105.patch: properly check lengths in
crypto/evp/encode.c, add documentation to
doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
- CVE-2016-2105
* SECURITY UPDATE: EVP_EncryptUpdate overflow
- debian/patches/CVE-2016-2106.patch: fix overflow in
crypto/evp/evp_enc.c.
- CVE-2016-2106
* SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
- debian/patches/CVE-2016-2107.patch: check that there are enough
padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c,
crypto/evp/e_aes_cbc_hmac_sha256.c.
- CVE-2016-2107
* SECURITY UPDATE: Memory corruption in the ASN.1 encoder
- debian/patches/CVE-2016-2108.patch: fix ASN1_INTEGER handling in
crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
crypto/asn1/tasn_enc.c.
- CVE-2016-2108
* SECURITY UPDATE: ASN.1 BIO excessive memory allocation
- debian/patches/CVE-2016-2109.patch: properly handle large amounts of
data in crypto/asn1/a_d2i_fp.c.
- CVE-2016-2109
-- Marc Deslauriers <email address hidden> Thu, 23 Jun 2016 08:33:31 -0400
Available diffs
openssl (1.0.1f-1ubuntu2.19) trusty-security; urgency=medium
* SECURITY UPDATE: EVP_EncodeUpdate overflow
- debian/patches/CVE-2016-2105.patch: properly check lengths in
crypto/evp/encode.c, add documentation to
doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
- CVE-2016-2105
* SECURITY UPDATE: EVP_EncryptUpdate overflow
- debian/patches/CVE-2016-2106.patch: fix overflow in
crypto/evp/evp_enc.c.
- CVE-2016-2106
* SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
- debian/patches/CVE-2016-2107.patch: check that there are enough
padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c.
- CVE-2016-2107
* SECURITY UPDATE: Memory corruption in the ASN.1 encoder
- debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
marked as negative in crypto/asn1/a_int.c.
- debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
crypto/asn1/tasn_enc.c.
- CVE-2016-2108
* SECURITY UPDATE: ASN.1 BIO excessive memory allocation
- debian/patches/CVE-2016-2109.patch: properly handle large amounts of
data in crypto/asn1/a_d2i_fp.c.
- CVE-2016-2109
* debian/patches/min_1024_dh_size.patch: change minimum DH size from 768
to 1024.
-- Marc Deslauriers <email address hidden> Thu, 28 Apr 2016 11:22:20 -0400
Available diffs
openssl (1.0.1-4ubuntu5.36) precise-security; urgency=medium
* SECURITY UPDATE: EVP_EncodeUpdate overflow
- debian/patches/CVE-2016-2105.patch: properly check lengths in
crypto/evp/encode.c, add documentation to
doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
- CVE-2016-2105
* SECURITY UPDATE: EVP_EncryptUpdate overflow
- debian/patches/CVE-2016-2106.patch: fix overflow in
crypto/evp/evp_enc.c.
- CVE-2016-2106
* SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
- debian/patches/CVE-2016-2107.patch: check that there are enough
padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c.
- CVE-2016-2107
* SECURITY UPDATE: Memory corruption in the ASN.1 encoder
- debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
marked as negative in crypto/asn1/a_int.c.
- debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
crypto/asn1/tasn_enc.c.
- CVE-2016-2108
* SECURITY UPDATE: ASN.1 BIO excessive memory allocation
- debian/patches/CVE-2016-2109.patch: properly handle large amounts of
data in crypto/asn1/a_d2i_fp.c.
- CVE-2016-2109
* debian/patches/min_1024_dh_size.patch: change minimum DH size from 768
to 1024.
-- Marc Deslauriers <email address hidden> Thu, 28 Apr 2016 11:45:24 -0400
Available diffs
openssl (1.0.2g-1ubuntu4.1) xenial-security; urgency=medium
* SECURITY UPDATE: EVP_EncodeUpdate overflow
- debian/patches/CVE-2016-2105.patch: properly check lengths in
crypto/evp/encode.c, add documentation to
doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
- CVE-2016-2105
* SECURITY UPDATE: EVP_EncryptUpdate overflow
- debian/patches/CVE-2016-2106.patch: fix overflow in
crypto/evp/evp_enc.c.
- CVE-2016-2106
* SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
- debian/patches/CVE-2016-2107.patch: check that there are enough
padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c,
crypto/evp/e_aes_cbc_hmac_sha256.c.
- CVE-2016-2107
* SECURITY UPDATE: Memory corruption in the ASN.1 encoder
- debian/patches/CVE-2016-2108.patch: fix ASN1_INTEGER handling in
crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
crypto/asn1/tasn_enc.c.
- CVE-2016-2108
* SECURITY UPDATE: ASN.1 BIO excessive memory allocation
- debian/patches/CVE-2016-2109.patch: properly handle large amounts of
data in crypto/asn1/a_d2i_fp.c.
- CVE-2016-2109
-- Marc Deslauriers <email address hidden> Thu, 28 Apr 2016 09:15:39 -0400
Available diffs
openssl (1.0.2d-0ubuntu1.5) wily-security; urgency=medium
* SECURITY UPDATE: EVP_EncodeUpdate overflow
- debian/patches/CVE-2016-2105.patch: properly check lengths in
crypto/evp/encode.c, add documentation to
doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
- CVE-2016-2105
* SECURITY UPDATE: EVP_EncryptUpdate overflow
- debian/patches/CVE-2016-2106.patch: fix overflow in
crypto/evp/evp_enc.c.
- CVE-2016-2106
* SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
- debian/patches/CVE-2016-2107.patch: check that there are enough
padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c,
crypto/evp/e_aes_cbc_hmac_sha256.c.
- CVE-2016-2107
* SECURITY UPDATE: Memory corruption in the ASN.1 encoder
- debian/patches/CVE-2016-2108.patch: fix ASN1_INTEGER handling in
crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
crypto/asn1/tasn_enc.c.
- CVE-2016-2108
* SECURITY UPDATE: ASN.1 BIO excessive memory allocation
- debian/patches/CVE-2016-2109.patch: properly handle large amounts of
data in crypto/asn1/a_d2i_fp.c.
- CVE-2016-2109
* debian/patches/min_1024_dh_size.patch: change minimum DH size from 768
to 1024.
-- Marc Deslauriers <email address hidden> Thu, 28 Apr 2016 10:00:31 -0400
Available diffs
| Superseded in yakkety-release on 2016-07-11 |
| Published in xenial-release on 2016-04-15 |
| Deleted in xenial-proposed (Reason: moved to release) |
openssl (1.0.2g-1ubuntu4) xenial; urgency=medium
* Rename Fedora-imported FIPS patches to the names they have in Fedora, add
correct "Origin:" tags, and move Ubuntu modifications in them into
openssl-1.0.2g-ubuntu-fips-cleanup.patch.
-- Joy Latten <email address hidden> Fri, 15 Apr 2016 06:58:01 +0200
Available diffs
- diff from 1.0.2g-1ubuntu3 to 1.0.2g-1ubuntu4 (77.7 KiB)
| Superseded in xenial-release on 2016-04-15 |
| Deleted in xenial-proposed on 2016-04-16 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu3) xenial; urgency=medium * Add fips support to openssl, LP: #1553309 - debian/patches/openssl-1.0.2g-fips.patch: [PATCH 1/6] Add selftest, fips support, crypto compliance and define OPENSSL_FIPS. - debian/patches/openssl-1.0.2g-fips-ec.patch: [PATCH 2/6] Add fips compliance for EC curves. - debian/patches/openssl-1.0.2g-fips-md5-allow.patch: [PATCH 3/6] Allow md5 in fips mode. - debian/patches/openssl-1.0.2g-fips-ctor.patch: [PATCH 4/6] Re-factor integrity check for fips mode. - debian/patches/openssl-1.0.2g-new-fips-reqs.patch: [PATCH 5/6] New fips requirements. - debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch: [PATCH 6/6] Cleanup compiler warnings, use upstream error codes, DSA, DSA2, fips_utl.h; add additional upstream tests to fips_test_suite; allow all EC curves. -- Joy Latten <email address hidden> Tue, 12 Apr 2016 15:33:50 -0500
Available diffs
- diff from 1.0.2g-1ubuntu2 to 1.0.2g-1ubuntu3 (145.1 KiB)
| Superseded in xenial-release on 2016-04-13 |
| Deleted in xenial-proposed on 2016-04-15 (Reason: moved to release) |
openssl (1.0.2g-1ubuntu2) xenial; urgency=medium
* debian/patches/arm64-aarch64_asm.patch: Enable aarch64 asm routines
(LP: #1552939).
-- dann frazier <email address hidden> Mon, 07 Mar 2016 10:03:26 -0700
Available diffs
- diff from 1.0.2f-2ubuntu1 to 1.0.2g-1ubuntu2 (56.2 KiB)
- diff from 1.0.2g-1ubuntu1 to 1.0.2g-1ubuntu2 (1.0 KiB)
| Superseded in xenial-proposed on 2016-03-07 |
openssl (1.0.2g-1ubuntu1) xenial; urgency=medium
* Merge with Debian, remaining changes.
- Disable SSLv3 without changing ABI:
+ debian/patches/no-sslv3.patch: Disable SSLv3 without using the
no-ssl3-method option
+ debian/rules: don't use no-ssl3-method, don't bump soname
+ debian/patches/engines-path.patch: don't bump soname
+ debian/patches/version-script.patch: don't bump soname
+ debian/patches/soname.patch: removed
+ debian/lib*: don't bump soname
- debian/control: don't enable rfc3779 and cms support for now as it
changes ABI.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
Available diffs
- diff from 1.0.2f-2ubuntu1 to 1.0.2g-1ubuntu1 (55.5 KiB)
openssl (1.0.1-4ubuntu5.35) precise-security; urgency=medium
* SECURITY UPDATE: side channel attack on modular exponentiation
- debian/patches/CVE-2016-0702.patch: use constant-time calculations in
crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
- CVE-2016-0702
* SECURITY UPDATE: double-free in DSA code
- debian/patches/CVE-2016-0705.patch: fix double-free in
crypto/dsa/dsa_ameth.c.
- CVE-2016-0705
* SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
- debian/patches/CVE-2016-0797.patch: prevent overflow in
crypto/bn/bn_print.c, crypto/bn/bn.h.
- CVE-2016-0797
* SECURITY UPDATE: memory leak in SRP database lookups
- debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
introduce new SRP_VBASE_get1_by_user function that handled seed
properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
util/libeay.num, openssl.ld.
- CVE-2016-0798
* SECURITY UPDATE: memory issues in BIO_*printf functions
- debian/patches/CVE-2016-0799.patch: prevent overflow in
crypto/bio/b_print.c.
- CVE-2016-0799
* debian/patches/preserve_digests_for_sni.patch: preserve negotiated
digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
(LP: #1550643)
-- Marc Deslauriers <email address hidden> Mon, 29 Feb 2016 08:01:48 -0500
Available diffs
openssl (1.0.2d-0ubuntu1.4) wily-security; urgency=medium
* SECURITY UPDATE: side channel attack on modular exponentiation
- debian/patches/CVE-2016-0702.patch: use constant-time calculations in
crypto/bn/asm/rsaz-avx2.pl, crypto/bn/asm/rsaz-x86_64.pl,
crypto/bn/asm/x86_64-mont.pl, crypto/bn/asm/x86_64-mont5.pl,
crypto/bn/bn_exp.c.
- CVE-2016-0702
* SECURITY UPDATE: double-free in DSA code
- debian/patches/CVE-2016-0705.patch: fix double-free in
crypto/dsa/dsa_ameth.c.
- CVE-2016-0705
* SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
- debian/patches/CVE-2016-0797.patch: prevent overflow in
crypto/bn/bn_print.c, crypto/bn/bn.h.
- CVE-2016-0797
* SECURITY UPDATE: memory leak in SRP database lookups
- debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
introduce new SRP_VBASE_get1_by_user function that handled seed
properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
util/libeay.num, openssl.ld.
- CVE-2016-0798
* SECURITY UPDATE: memory issues in BIO_*printf functions
- debian/patches/CVE-2016-0799.patch: prevent overflow in
crypto/bio/b_print.c.
- CVE-2016-0799
-- Marc Deslauriers <email address hidden> Mon, 29 Feb 2016 07:43:21 -0500
Available diffs
openssl (1.0.1f-1ubuntu2.18) trusty-security; urgency=medium
* SECURITY UPDATE: side channel attack on modular exponentiation
- debian/patches/CVE-2016-0702.patch: use constant-time calculations in
crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
- CVE-2016-0702
* SECURITY UPDATE: double-free in DSA code
- debian/patches/CVE-2016-0705.patch: fix double-free in
crypto/dsa/dsa_ameth.c.
- CVE-2016-0705
* SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
- debian/patches/CVE-2016-0797.patch: prevent overflow in
crypto/bn/bn_print.c, crypto/bn/bn.h.
- CVE-2016-0797
* SECURITY UPDATE: memory leak in SRP database lookups
- debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
introduce new SRP_VBASE_get1_by_user function that handled seed
properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
util/libeay.num, openssl.ld.
- CVE-2016-0798
* SECURITY UPDATE: memory issues in BIO_*printf functions
- debian/patches/CVE-2016-0799.patch: prevent overflow in
crypto/bio/b_print.c.
- CVE-2016-0799
* debian/patches/preserve_digests_for_sni.patch: preserve negotiated
digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
(LP: #1550643)
-- Marc Deslauriers <email address hidden> Mon, 29 Feb 2016 07:56:15 -0500
Available diffs
openssl (1.0.1-4ubuntu5.34) precise-security; urgency=medium
* debian/patches/alt-cert-chains-*.patch: backport series of upstream
commits to add alternate chains support. This will allow the future
removal of 1024-bit RSA keys from the ca-certificates package.
-- Marc Deslauriers <email address hidden> Mon, 08 Feb 2016 09:15:37 -0500
Available diffs
openssl (1.0.1f-1ubuntu2.17) trusty-security; urgency=medium
* debian/patches/alt-cert-chains-*.patch: backport series of upstream
commits to add alternate chains support. This will allow the future
removal of 1024-bit RSA keys from the ca-certificates package.
-- Marc Deslauriers <email address hidden> Fri, 05 Feb 2016 16:14:26 -0500
Available diffs
| Superseded in xenial-release on 2016-03-09 |
| Deleted in xenial-proposed on 2016-03-10 (Reason: moved to release) |
openssl (1.0.2f-2ubuntu1) xenial; urgency=medium
* Merge with Debian, remaining changes.
- Disable SSLv3 without changing ABI:
+ debian/patches/no-sslv3.patch: Disable SSLv3 without using the
no-ssl3-method option
+ debian/rules: don't use no-ssl3-method, don't bump soname
+ debian/patches/engines-path.patch: don't bump soname
+ debian/patches/version-script.patch: don't bump soname
+ debian/patches/soname.patch: removed
+ debian/lib*: don't bump soname
- debian/control: don't enable rfc3779 and cms support for now as it
changes ABI.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* debian/patches/CVE-2016-0701.patch: dropped, upstream.
Available diffs
- diff from 1.0.2e-1ubuntu1 to 1.0.2f-2ubuntu1 (28.6 KiB)
- diff from 1.0.2e-1ubuntu2 to 1.0.2f-2ubuntu1 (31.2 KiB)
| Superseded in xenial-proposed on 2016-02-02 |
openssl (1.0.2e-1ubuntu2) xenial; urgency=medium
* SECURITY UPDATE: DH small subgroups issue
- debian/patches/CVE-2016-0701.patch: add a test for small subgroup
attacks in crypto/dh/dhtest.c, always generate DH keys for ephemeral
DH cipher suites in doc/ssl/SSL_CTX_set_tmp_dh_callback.pod,
ssl/s3_lib.c, ssl/s3_srvr.c, ssl/ssl.h, prevent small subgroup
attacks on DH/DHE in crypto/dh/dh.h, crypto/dh/dh_check.c.
- CVE-2016-0701
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2016 13:39:46 -0500
Available diffs
openssl (1.0.2d-0ubuntu1.3) wily-security; urgency=medium
* SECURITY UPDATE: DH small subgroups issue
- debian/patches/CVE-2016-0701.patch: add a test for small subgroup
attacks in crypto/dh/dhtest.c, always generate DH keys for ephemeral
DH cipher suites in doc/ssl/SSL_CTX_set_tmp_dh_callback.pod,
ssl/s3_lib.c, ssl/s3_srvr.c, ssl/ssl.h, prevent small subgroup
attacks on DH/DHE in crypto/dh/dh.h, crypto/dh/dh_check.c.
- CVE-2016-0701
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2016 13:32:19 -0500
Available diffs
openssl (1.0.1-4ubuntu5.33) precise-security; urgency=medium
* SECURITY UPDATE: incorrect RSA+MD5 support with TLS 1.2
- debian/patches/CVE-2015-7575.patch: disable RSA+MD5 when using TLS
1.2 in ssl/t1_lib.c.
- CVE-2015-7575
-- Marc Deslauriers <email address hidden> Thu, 07 Jan 2016 09:27:55 -0500
Available diffs
| Superseded in xenial-release on 2016-02-04 |
| Deleted in xenial-proposed on 2016-02-05 (Reason: moved to release) |
openssl (1.0.2e-1ubuntu1) xenial; urgency=medium
* Merge with Debian, remaining changes.
- Disable SSLv3 without changing ABI:
+ debian/patches/no-sslv3.patch: Disable SSLv3 without using the
no-ssl3-method option
+ debian/rules: don't use no-ssl3-method, don't bump soname
+ debian/patches/engines-path.patch: don't bump soname
+ debian/patches/version-script.patch: don't bump soname
+ debian/patches/soname.patch: removed
+ debian/lib*: don't bump soname
- debian/control: don't enable rfc3779 and cms support for now as it
changes ABI.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
Available diffs
- diff from 1.0.2d-0ubuntu2 to 1.0.2e-1ubuntu1 (438.2 KiB)
openssl (1.0.2d-0ubuntu1.2) wily-security; urgency=medium
* SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64
- debian/patches/CVE-2015-3193.patch: fix carry propagating bug in
crypto/bn/asm/x86_64-mont5.pl, added test to crypto/bn/bntest.c.
- CVE-2015-3193
* SECURITY UPDATE: Certificate verify crash with missing PSS parameter
- debian/patches/CVE-2015-3194.patch: add PSS parameter check to
crypto/rsa/rsa_ameth.c.
- CVE-2015-3194
* SECURITY UPDATE: X509_ATTRIBUTE memory leak
- debian/patches/CVE-2015-3195.patch: fix leak in
crypto/asn1/tasn_dec.c.
- CVE-2015-3195
* SECURITY UPDATE: Anon DH ServerKeyExchange with 0 p parameter
- debian/patches/CVE-2015-1794.patch: fix segfault with 0 p val and
check for 0 modulus in crypto/bn/bn_mont.c, ssl/s3_clnt.c.
- CVE-2015-1794
-- Marc Deslauriers <email address hidden> Fri, 04 Dec 2015 11:14:44 -0500
Available diffs
openssl (1.0.1f-1ubuntu2.16) trusty-security; urgency=medium
* SECURITY UPDATE: Certificate verify crash with missing PSS parameter
- debian/patches/CVE-2015-3194.patch: add PSS parameter check to
crypto/rsa/rsa_ameth.c.
- CVE-2015-3194
* SECURITY UPDATE: X509_ATTRIBUTE memory leak
- debian/patches/CVE-2015-3195.patch: fix leak in
crypto/asn1/tasn_dec.c.
- CVE-2015-3195
* SECURITY UPDATE: Race condition handling PSK identify hint
- debian/patches/CVE-2015-3196.patch: fix PSK handling in
ssl/s3_clnt.c, ssl/s3_srvr.c.
- CVE-2015-3196
-- Marc Deslauriers <email address hidden> Fri, 04 Dec 2015 08:20:52 -0500
Available diffs
openssl (1.0.1-4ubuntu5.32) precise-security; urgency=medium
* SECURITY UPDATE: Certificate verify crash with missing PSS parameter
- debian/patches/CVE-2015-3194.patch: add PSS parameter check to
crypto/rsa/rsa_ameth.c.
- CVE-2015-3194
* SECURITY UPDATE: X509_ATTRIBUTE memory leak
- debian/patches/CVE-2015-3195.patch: fix leak in
crypto/asn1/tasn_dec.c.
- CVE-2015-3195
* SECURITY UPDATE: Race condition handling PSK identify hint
- debian/patches/CVE-2015-3196.patch: fix PSK handling in
ssl/s3_clnt.c, ssl/s3_srvr.c.
- CVE-2015-3196
-- Marc Deslauriers <email address hidden> Fri, 04 Dec 2015 08:22:09 -0500
Available diffs
openssl (1.0.1f-1ubuntu11.5) vivid-security; urgency=medium
* SECURITY UPDATE: Certificate verify crash with missing PSS parameter
- debian/patches/CVE-2015-3194.patch: add PSS parameter check to
crypto/rsa/rsa_ameth.c.
- CVE-2015-3194
* SECURITY UPDATE: X509_ATTRIBUTE memory leak
- debian/patches/CVE-2015-3195.patch: fix leak in
crypto/asn1/tasn_dec.c.
- CVE-2015-3195
* SECURITY UPDATE: Race condition handling PSK identify hint
- debian/patches/CVE-2015-3196.patch: fix PSK handling in
ssl/s3_clnt.c, ssl/s3_srvr.c.
- CVE-2015-3196
-- Marc Deslauriers <email address hidden> Fri, 04 Dec 2015 07:54:50 -0500
Available diffs
| Superseded in xenial-release on 2015-12-07 |
| Deleted in xenial-proposed on 2015-12-08 (Reason: moved to release) |
openssl (1.0.2d-0ubuntu2) xenial; urgency=medium
* debian/patches/no-sslv3.patch: Disable SSLv3 without using the
no-ssl3-method option, as that changes ABI and we don't want to break
compatibility with third party applications and applications built for
older versions of Ubuntu, especially for an LTS release.
-- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 17:37:38 -0500
Available diffs
| Superseded in xenial-release on 2015-11-13 |
| Published in wily-release on 2015-07-15 |
| Deleted in wily-proposed (Reason: moved to release) |
openssl (1.0.2d-0ubuntu1) wily; urgency=medium
* SECURITY UPDATE: alternative chains certificate forgery
- Updated to new upstream version
- CVE-2015-1793
-- Marc Deslauriers <email address hidden> Thu, 09 Jul 2015 09:27:48 -0400
Available diffs
- diff from 1.0.2c-1ubuntu1 to 1.0.2d-0ubuntu1 (30.4 KiB)
| Superseded in wily-release on 2015-07-15 |
| Deleted in wily-proposed on 2015-07-16 (Reason: moved to release) |
openssl (1.0.2c-1ubuntu1) wily; urgency=medium
* Merge with Debian, remaining changes.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
Available diffs
- diff from 1.0.2a-1ubuntu1 to 1.0.2c-1ubuntu1 (104.5 KiB)
openssl (1.0.1f-1ubuntu2.15) trusty-security; urgency=medium
* SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
- debian/patches/reject_small_dh.patch: reject small dh keys in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, update documentation in
doc/ssl/SSL_CTX_set_tmp_dh_callback.pod, make s_server use 2048-bit
dh in apps/s_server.c, clarify docs in doc/apps/dhparam.pod.
* SECURITY UPDATE: denial of service and possible code execution via
invalid free in DTLS
- debian/patches/CVE-2014-8176.patch: fix invalid free in ssl/d1_lib.c.
- CVE-2014-8176
* SECURITY UPDATE: denial of service via malformed ECParameters
- debian/patches/CVE-2015-1788.patch: improve logic in
crypto/bn/bn_gf2m.c.
- CVE-2015-1788
* SECURITY UPDATE: denial of service via out-of-bounds read in
X509_cmp_time
- debian/patches/CVE-2015-1789.patch: properly parse time format in
crypto/x509/x509_vfy.c.
- CVE-2015-1789
* SECURITY UPDATE: denial of service via missing EnvelopedContent
- debian/patches/CVE-2015-1790.patch: handle NULL data_body in
crypto/pkcs7/pk7_doit.c.
- CVE-2015-1790
* SECURITY UPDATE: race condition in NewSessionTicket
- debian/patches/CVE-2015-1791.patch: create a new session in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, ssl/ssl_locl.h,
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-2.patch: fix kerberos issue in
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-3.patch: more ssl_session_dup fixes in
ssl/ssl_sess.c.
- CVE-2015-1791
* SECURITY UPDATE: CMS verify infinite loop with unknown hash function
- debian/patches/CVE-2015-1792.patch: fix infinite loop in
crypto/cms/cms_smime.c.
- CVE-2015-1792
-- Marc Deslauriers <email address hidden> Thu, 11 Jun 2015 07:34:23 -0400
Available diffs
openssl (1.0.1-4ubuntu5.31) precise-security; urgency=medium
* SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
- debian/patches/reject_small_dh.patch: reject small dh keys in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, update documentation in
doc/ssl/SSL_CTX_set_tmp_dh_callback.pod, make s_server use 2048-bit
dh in apps/s_server.c, clarify docs in doc/apps/dhparam.pod,
switch defaut dh to 2048-bit in apps/dhparam.c, apps/gendh.c.
* SECURITY UPDATE: denial of service and possible code execution via
invalid free in DTLS
- debian/patches/CVE-2014-8176.patch: fix invalid free in ssl/d1_lib.c.
- CVE-2014-8176
* SECURITY UPDATE: denial of service via malformed ECParameters
- debian/patches/CVE-2015-1788.patch: improve logic in
crypto/bn/bn_gf2m.c.
- CVE-2015-1788
* SECURITY UPDATE: denial of service via out-of-bounds read in
X509_cmp_time
- debian/patches/CVE-2015-1789.patch: properly parse time format in
crypto/x509/x509_vfy.c.
- CVE-2015-1789
* SECURITY UPDATE: denial of service via missing EnvelopedContent
- debian/patches/CVE-2015-1790.patch: handle NULL data_body in
crypto/pkcs7/pk7_doit.c.
- CVE-2015-1790
* SECURITY UPDATE: race condition in NewSessionTicket
- debian/patches/CVE-2015-1791.patch: create a new session in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, ssl/ssl_locl.h,
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-2.patch: fix kerberos issue in
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-3.patch: more ssl_session_dup fixes in
ssl/ssl_sess.c.
- CVE-2015-1791
* SECURITY UPDATE: CMS verify infinite loop with unknown hash function
- debian/patches/CVE-2015-1792.patch: fix infinite loop in
crypto/cms/cms_smime.c.
- CVE-2015-1792
-- Marc Deslauriers <email address hidden> Thu, 11 Jun 2015 07:35:48 -0400
Available diffs
openssl (1.0.1f-1ubuntu9.8) utopic-security; urgency=medium
* SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
- debian/patches/reject_small_dh.patch: reject small dh keys in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, update documentation in
doc/ssl/SSL_CTX_set_tmp_dh_callback.pod, make s_server use 2048-bit
dh in apps/s_server.c, clarify docs in doc/apps/dhparam.pod.
* SECURITY UPDATE: denial of service and possible code execution via
invalid free in DTLS
- debian/patches/CVE-2014-8176.patch: fix invalid free in ssl/d1_lib.c.
- CVE-2014-8176
* SECURITY UPDATE: denial of service via malformed ECParameters
- debian/patches/CVE-2015-1788.patch: improve logic in
crypto/bn/bn_gf2m.c.
- CVE-2015-1788
* SECURITY UPDATE: denial of service via out-of-bounds read in
X509_cmp_time
- debian/patches/CVE-2015-1789.patch: properly parse time format in
crypto/x509/x509_vfy.c.
- CVE-2015-1789
* SECURITY UPDATE: denial of service via missing EnvelopedContent
- debian/patches/CVE-2015-1790.patch: handle NULL data_body in
crypto/pkcs7/pk7_doit.c.
- CVE-2015-1790
* SECURITY UPDATE: race condition in NewSessionTicket
- debian/patches/CVE-2015-1791.patch: create a new session in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, ssl/ssl_locl.h,
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-2.patch: fix kerberos issue in
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-3.patch: more ssl_session_dup fixes in
ssl/ssl_sess.c.
- CVE-2015-1791
* SECURITY UPDATE: CMS verify infinite loop with unknown hash function
- debian/patches/CVE-2015-1792.patch: fix infinite loop in
crypto/cms/cms_smime.c.
- CVE-2015-1792
-- Marc Deslauriers <email address hidden> Thu, 11 Jun 2015 07:12:10 -0400
Available diffs
openssl (1.0.1f-1ubuntu11.4) vivid-security; urgency=medium
* SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
- debian/patches/reject_small_dh.patch: reject small dh keys in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, update documentation in
doc/ssl/SSL_CTX_set_tmp_dh_callback.pod, make s_server use 2048-bit
dh in apps/s_server.c, clarify docs in doc/apps/dhparam.pod.
* SECURITY UPDATE: denial of service and possible code execution via
invalid free in DTLS
- debian/patches/CVE-2014-8176.patch: fix invalid free in ssl/d1_lib.c.
- CVE-2014-8176
* SECURITY UPDATE: denial of service via malformed ECParameters
- debian/patches/CVE-2015-1788.patch: improve logic in
crypto/bn/bn_gf2m.c.
- CVE-2015-1788
* SECURITY UPDATE: denial of service via out-of-bounds read in
X509_cmp_time
- debian/patches/CVE-2015-1789.patch: properly parse time format in
crypto/x509/x509_vfy.c.
- CVE-2015-1789
* SECURITY UPDATE: denial of service via missing EnvelopedContent
- debian/patches/CVE-2015-1790.patch: handle NULL data_body in
crypto/pkcs7/pk7_doit.c.
- CVE-2015-1790
* SECURITY UPDATE: race condition in NewSessionTicket
- debian/patches/CVE-2015-1791.patch: create a new session in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, ssl/ssl_locl.h,
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-2.patch: fix kerberos issue in
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-3.patch: more ssl_session_dup fixes in
ssl/ssl_sess.c.
- CVE-2015-1791
* SECURITY UPDATE: CMS verify infinite loop with unknown hash function
- debian/patches/CVE-2015-1792.patch: fix infinite loop in
crypto/cms/cms_smime.c.
- CVE-2015-1792
-- Marc Deslauriers <email address hidden> Thu, 11 Jun 2015 07:10:41 -0400
Available diffs
openssl (1.0.1-4ubuntu5.28) precise-security; urgency=medium
* SECURITY IMPROVEMENT: Disable EXPORT ciphers by default
- debian/patches/disable_export_ciphers.patch: remove export ciphers
from the DEFAULT cipher list in ssl/ssl.h, ssl/ssl_ciph.c,
doc/apps/ciphers.pod.
-- Marc Deslauriers <email address hidden> Thu, 28 May 2015 08:58:31 -0400
Available diffs
openssl (1.0.1f-1ubuntu2.12) trusty-security; urgency=medium
* SECURITY IMPROVEMENT: Disable EXPORT ciphers by default
- debian/patches/disable_export_ciphers.patch: remove export ciphers
from the DEFAULT cipher list in ssl/ssl.h, ssl/ssl_ciph.c,
doc/apps/ciphers.pod.
-- Marc Deslauriers <email address hidden> Thu, 28 May 2015 08:58:02 -0400
Available diffs
openssl (1.0.1f-1ubuntu9.5) utopic-security; urgency=medium
* SECURITY IMPROVEMENT: Disable EXPORT ciphers by default
- debian/patches/disable_export_ciphers.patch: remove export ciphers
from the DEFAULT cipher list in ssl/ssl.h, ssl/ssl_ciph.c,
doc/apps/ciphers.pod.
-- Marc Deslauriers <email address hidden> Thu, 28 May 2015 08:57:29 -0400
Available diffs
openssl (1.0.1f-1ubuntu11.1) vivid-security; urgency=medium
* SECURITY IMPROVEMENT: Disable EXPORT ciphers by default
- debian/patches/disable_export_ciphers.patch: remove export ciphers
from the DEFAULT cipher list in ssl/ssl.h, ssl/ssl_ciph.c,
doc/apps/ciphers.pod.
-- Marc Deslauriers <email address hidden> Thu, 28 May 2015 08:51:23 -0400
Available diffs
- diff from 1.0.1-4ubuntu5.26 to 1.0.1f-1ubuntu11.1 (pending)
| Superseded in wily-release on 2015-06-15 |
| Deleted in wily-proposed on 2015-06-16 (Reason: moved to release) |
openssl (1.0.2a-1ubuntu1) wily; urgency=medium
* Merge with Debian, remaining changes.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* Dropped patches included in new version:
- ppc64-support.patch, CVE-2014-0076.patch, CVE-2014-0160.patch,
CVE-2010-5298.patch, CVE-2014-0198.patch, CVE-2014-0195.patch,
CVE-2014-0221.patch, CVE-2014-0224-1.patch, CVE-2014-0224-2.patch,
CVE-2014-3470.patch, CVE-2014-0224-3.patch,
CVE-2014-0224-regression.patch, CVE-2014-0224-regression2.patch,
CVE-2014-3505.patch, CVE-2014-3506.patch, CVE-2014-3507.patch,
CVE-2014-3508.patch, CVE-2014-3509.patch, CVE-2014-3510.patch,
CVE-2014-3511.patch, CVE-2014-3512.patch, CVE-2014-5139.patch,
power8-optimisations.patch, tls_fallback_scsv_support.patch,
CVE-2014-3513.patch, CVE-2014-3567.patch, CVE-2014-3568.patch,
CVE-2014-3569.patch, CVE-2014-3570.patch, CVE-2014-3571-1.patch,
CVE-2014-3571-2.patch, CVE-2014-3572.patch, CVE-2014-8275.patch,
CVE-2015-0204.patch, CVE-2015-0205.patch, CVE-2015-0206.patch,
CVE-2015-0209.patch, CVE-2015-0286.patch, CVE-2015-0287.patch,
CVE-2015-0288.patch, CVE-2015-0289.patch, CVE-2015-0292.patch,
CVE-2015-0293.patch, CVE-2015-0209-2.patch, CVE-2015-0293-2.patch
Available diffs
openssl (1.0.1-4ubuntu5.27) precise-security; urgency=medium
* debian/patches/tls12_client_env.patch: Re-enable TLSv1.2 support on the
client by default. For problematic setups, it can be disabled again by
setting OPENSSL_NO_CLIENT_TLS1_2 in the environment during library
initialization. (LP: #1442970)
-- Marc Deslauriers <email address hidden> Mon, 27 Apr 2015 13:13:18 -0400
Available diffs
openssl (1.0.1-4ubuntu5.25) precise-security; urgency=medium
* SECURITY UPDATE: denial of service and possible memory corruption via
malformed EC private key
- debian/patches/CVE-2015-0209.patch: fix use after free in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
- CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
- debian/patches/CVE-2015-0286.patch: handle boolean types in
crypto/asn1/a_type.c.
- CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
- debian/patches/CVE-2015-0287.patch: free up structures in
crypto/asn1/tasn_dec.c.
- CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
- debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
crypto/x509/x509_req.c.
- CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
PKCS#7 parsing
- debian/patches/CVE-2015-0289.patch: handle missing content in
crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
- CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
decoding
- debian/patches/CVE-2015-0292.patch: prevent underflow in
crypto/evp/encode.c.
- CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
- debian/patches/CVE-2015-0293.patch: check key lengths in
ssl/s2_lib.c, ssl/s2_srvr.c.
- debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
ssl/s2_srvr.c.
- CVE-2015-0293
-- Marc Deslauriers <email address hidden> Thu, 19 Mar 2015 10:03:00 -0400
Available diffs
openssl (0.9.8k-7ubuntu8.27) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service and possible memory corruption via
malformed EC private key
- debian/patches/CVE-2015-0209.patch: fix use after free in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
- CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
- debian/patches/CVE-2015-0286.patch: handle boolean types in
crypto/asn1/a_type.c.
- CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
- debian/patches/CVE-2015-0287.patch: free up structures in
crypto/asn1/tasn_dec.c.
- CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
- debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
crypto/x509/x509_req.c.
- CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
PKCS#7 parsing
- debian/patches/CVE-2015-0289.patch: handle missing content in
crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
- CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
decoding
- debian/patches/CVE-2015-0292.patch: prevent underflow in
crypto/evp/encode.c.
- CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
- debian/patches/CVE-2015-0293.patch: check key lengths in
ssl/s2_lib.c, ssl/s2_srvr.c.
- debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
ssl/s2_srvr.c.
- CVE-2015-0293
-- Marc Deslauriers <email address hidden> Thu, 19 Mar 2015 09:57:59 -0400
Available diffs
openssl (1.0.1f-1ubuntu2.11) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service and possible memory corruption via
malformed EC private key
- debian/patches/CVE-2015-0209.patch: fix use after free in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
- CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
- debian/patches/CVE-2015-0286.patch: handle boolean types in
crypto/asn1/a_type.c.
- CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
- debian/patches/CVE-2015-0287.patch: free up structures in
crypto/asn1/tasn_dec.c.
- CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
- debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
crypto/x509/x509_req.c.
- CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
PKCS#7 parsing
- debian/patches/CVE-2015-0289.patch: handle missing content in
crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
- CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
decoding
- debian/patches/CVE-2015-0292.patch: prevent underflow in
crypto/evp/encode.c.
- CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
- debian/patches/CVE-2015-0293.patch: check key lengths in
ssl/s2_lib.c, ssl/s2_srvr.c.
- debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
ssl/s2_srvr.c.
- CVE-2015-0293
-- Marc Deslauriers <email address hidden> Thu, 19 Mar 2015 10:04:30 -0400
Available diffs
openssl (1.0.1f-1ubuntu9.4) utopic-security; urgency=medium
* SECURITY UPDATE: denial of service and possible memory corruption via
malformed EC private key
- debian/patches/CVE-2015-0209.patch: fix use after free in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
- CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
- debian/patches/CVE-2015-0286.patch: handle boolean types in
crypto/asn1/a_type.c.
- CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
- debian/patches/CVE-2015-0287.patch: free up structures in
crypto/asn1/tasn_dec.c.
- CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
- debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
crypto/x509/x509_req.c.
- CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
PKCS#7 parsing
- debian/patches/CVE-2015-0289.patch: handle missing content in
crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
- CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
decoding
- debian/patches/CVE-2015-0292.patch: prevent underflow in
crypto/evp/encode.c.
- CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
- debian/patches/CVE-2015-0293.patch: check key lengths in
ssl/s2_lib.c, ssl/s2_srvr.c.
- debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
ssl/s2_srvr.c.
- CVE-2015-0293
-- Marc Deslauriers <email address hidden> Thu, 19 Mar 2015 10:05:54 -0400
Available diffs
| 1 → 75 of 308 results | First • Previous • Next • Last |
