openssl098 0.9.8o-7ubuntu3.2 source package in Ubuntu


openssl098 (0.9.8o-7ubuntu3.2) precise-security; urgency=medium

  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - CVE-2012-0884
  * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    - errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
 -- Louis Bouchard <email address hidden>   Wed, 18 Jun 2014 12:22:48 +0200

Upload details

Uploaded by:
Louis Bouchard
Sponsored by:
Seth Arnold
Uploaded to:
Original maintainer:
Ubuntu Developers
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Precise updates universe utils
Precise security universe utils


File Size SHA-256 Checksum
openssl098_0.9.8o.orig.tar.gz 3.6 MiB befada1ac3819b1d317df8197b5e82ec768b39d250fcbef81e2b1cb7f165d448
openssl098_0.9.8o-7ubuntu3.2.debian.tar.gz 126.4 KiB d387f488d6155d87d0157cd2fd464df19cd184e636b39ff62e8c4789401f5d50
openssl098_0.9.8o-7ubuntu3.2.dsc 1.8 KiB 926d0e0f1c630436982bcd61ec633251cedcfe27d9c24ab601d13b06d1538c4e

View changes file

Binary packages built by this source

libcrypto0.9.8-udeb: crypto shared library - udeb

 libcrypto shared library.
 Do not install it on a normal system.

libssl0.9.8: SSL shared libraries

 libssl and libcrypto shared libraries needed by programs like
 apache-ssl, telnet-ssl and openssh.
 It is part of the OpenSSL implementation of SSL.

libssl0.9.8-dbg: Symbol tables for libssl and libcrypto

 This package is part of the OpenSSL implementation of SSL.