Change logs for openssl098 source package in Quantal

  • openssl098 (0.9.8o-7ubuntu3.1) precise-security; urgency=low
      * Bring up to date with latest security patches from Ubuntu 11.04:
        * SECURITY UPDATE: ECDSA private key timing attack
        - debian/patches/CVE-2011-1945.patch: compute with fixed scalar
        - CVE-2011-1945
      * SECURITY UPDATE: ECDH ciphersuite denial of service
        - debian/patches/CVE-2011-3210.patch: fix memory usage for thread
        - CVE-2011-3210
      * SECURITY UPDATE: DTLS plaintext recovery attack
        - debian/patches/CVE-2011-4108.patch: perform all computations
          before discarding messages
        - CVE-2011-4108
      * SECURITY UPDATE: policy check double free vulnerability
        - debian/patches/CVE-2011-4019.patch: only free domain policyin
          one location
        - CVE-2011-4019
      * SECURITY UPDATE: SSL 3.0 block padding exposure
        - debian/patches/CVE-2011-4576.patch: clear bytes used for block
          padding of SSL 3.0 records.
        - CVE-2011-4576
      * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
        - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779
          data from triggering an assertion failure
        - CVE-2011-4577
      * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
        - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake
          restart for SSL/TLS.
        - CVE-2011-4619
      * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
        - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC
        - CVE-2012-0050
      * SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
        - debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp()
          and mime_param_cmp() to not dereference the compared strings if either
          is NULL
        - CVE-2006-7250
        - CVE-2012-1165
      * SECURITY UPDATE: fix various overflows
        - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
          crypto/buffer.c and crypto/mem.c to verify size of lengths
        - CVE-2012-2110
      * SECURITY UPDATE: incomplete fix for CVE-2012-2110
        - debian/patches/CVE-2012-2131.patch: also verify 'len' in BUF_MEM_grow
          and BUF_MEM_grow_clean is non-negative
        - CVE-2012-2131
      * debian/patches/CVE-2012-2110b.patch: Use correct error code in
     -- Jamie Strandboge <email address hidden>   Tue, 24 Apr 2012 10:06:47 -0500
  • openssl098 (0.9.8o-7ubuntu2) precise; urgency=low
      * Convert to multiarch.
     -- Evan Broder <email address hidden>   Sat, 10 Dec 2011 03:24:19 -0800