Change logs for openssl098 source package in Utopic
-
openssl098 (0.9.8o-7ubuntu4) utopic; urgency=medium [ Louis Bouchard ] * Bring up to date with latest security patches from Ubuntu 10.04: (LP: #1331452) * SECURITY UPDATE: MITM via change cipher spec - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, ssl/ssl3.h. - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master secrets in ssl/s3_pkt.c. - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in ssl/s3_clnt.c. - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after sending finished ssl/s3_clnt.c. - CVE-2014-0224 * SECURITY UPDATE: denial of service via DTLS recursion flaw - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without recursion in ssl/d1_both.c. - CVE-2014-0221 * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS fragments in ssl/d1_both.c. - CVE-2014-0195 * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: massive code changes - CVE-2013-0169 * SECURITY UPDATE: denial of service via invalid OCSP key - debian/patches/CVE-2013-0166.patch: properly handle NULL key in crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. - CVE-2013-0166 * SECURITY UPDATE: denial of service attack in DTLS implementation - debian/patches/CVE_2012-2333.patch: guard for integer overflow before skipping explicit IV - CVE-2012-2333 * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7 - debian/patches/CVE-2012-0884.patch: use a random key if RSA decryption fails to avoid leaking timing information - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto errors in PKCS7_decrypt and initialize tkeylen properly when encrypting CMS messages. - CVE-2012-0884 [ Marc Deslauriers ] * debian/patches/rehash_pod.patch: updated to fix FTBFS. * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS. -- Marc Deslauriers <email address hidden> Wed, 02 Jul 2014 09:16:49 -0400
-
openssl098 (0.9.8o-7ubuntu3.1) precise-security; urgency=low * Bring up to date with latest security patches from Ubuntu 11.04: * SECURITY UPDATE: ECDSA private key timing attack - debian/patches/CVE-2011-1945.patch: compute with fixed scalar length - CVE-2011-1945 * SECURITY UPDATE: ECDH ciphersuite denial of service - debian/patches/CVE-2011-3210.patch: fix memory usage for thread safety - CVE-2011-3210 * SECURITY UPDATE: DTLS plaintext recovery attack - debian/patches/CVE-2011-4108.patch: perform all computations before discarding messages - CVE-2011-4108 * SECURITY UPDATE: policy check double free vulnerability - debian/patches/CVE-2011-4019.patch: only free domain policyin one location - CVE-2011-4019 * SECURITY UPDATE: SSL 3.0 block padding exposure - debian/patches/CVE-2011-4576.patch: clear bytes used for block padding of SSL 3.0 records. - CVE-2011-4576 * SECURITY UPDATE: malformed RFC 3779 data denial of service attack - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779 data from triggering an assertion failure - CVE-2011-4577 * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake restart for SSL/TLS. - CVE-2011-4619 * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC - CVE-2012-0050 * SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken headers - debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp() and mime_param_cmp() to not dereference the compared strings if either is NULL - CVE-2006-7250 - CVE-2012-1165 * SECURITY UPDATE: fix various overflows - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c, crypto/buffer.c and crypto/mem.c to verify size of lengths - CVE-2012-2110 * SECURITY UPDATE: incomplete fix for CVE-2012-2110 - debian/patches/CVE-2012-2131.patch: also verify 'len' in BUF_MEM_grow and BUF_MEM_grow_clean is non-negative - CVE-2012-2131 * debian/patches/CVE-2012-2110b.patch: Use correct error code in BUF_MEM_grow_clean() -- Jamie Strandboge <email address hidden> Tue, 24 Apr 2012 10:06:47 -0500