Format: 1.7
Date: Thu, 11 Jun 2009 10:26:30 -0400
Source: openssl
Binary: openssl openssl-doc libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: hppa_translations hppa
Version: 0.9.8g-4ubuntu3.7
Distribution: hardy
Urgency: low
Maintainer: Ubuntu/hppa Build Daemon <buildd@primero.buildd>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
 openssl-doc - Secure Socket Layer (SSL) documentation
Changes: 
 openssl (0.9.8g-4ubuntu3.7) hardy-security; urgency=low
 .
   * SECURITY UPDATE: denial of service via memory consumption from large
     number of future epoch DTLS records.
     - crypto/pqueue.*: add new pqueue_size counter function.
     - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
     - http://cvs.openssl.org/chngview?cn=18187
     - CVE-2009-1377
   * SECURITY UPDATE: denial of service via memory consumption from
     duplicate or invalid sequence numbers in DTLS records.
     - ssl/d1_both.c: discard message if it's a duplicate or too far in the
       future.
     - http://marc.info/?l=openssl-dev&m=124263491424212&w=2
     - CVE-2009-1378
   * SECURITY UPDATE: denial of service or other impact via use-after-free
     in dtls1_retrieve_buffered_fragment.
     - ssl/d1_both.c: use temp frag_len instead of freed frag.
     - http://rt.openssl.org/Ticket/Display.html?id=1923
     - CVE-2009-1379
   * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
     that occurs before ClientHello.
     - ssl/s3_pkt.c: abort if s->session is NULL.
     - ssl/{ssl.h,ssl_err.c}: add new error codes.
     - http://cvs.openssl.org/chngview?cn=17369
     - CVE-2009-1386
   * SECURITY UPDATE: denial of service via an out-of-sequence DTLS
     handshake message.
     - ssl/d1_both.c: don't buffer fragments with no data.
     - http://cvs.openssl.org/chngview?cn=17958
     - CVE-2009-1387
Files: 
 d0ea1ebf2d62823a9b4bffa73a78b168 17315 raw-translations - openssl_0.9.8g-4ubuntu3.7_hppa_translations.tar.gz
 2f8fd71f8ed9e7a6d111d0656e8a37c8 402102 utils optional openssl_0.9.8g-4ubuntu3.7_hppa.deb
 c13f36d7e9a853258298a3fa4f57ed61 954882 libs important libssl0.9.8_0.9.8g-4ubuntu3.7_hppa.deb
 f7bcd109826ace9e97f91649a3de46fc 628210 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_hppa.udeb
 85464ec1f2e7d54d85847fd48c1b60ba 2125654 libdevel optional libssl-dev_0.9.8g-4ubuntu3.7_hppa.deb
 60083a111649fe665c43b68731b047f9 1522764 libdevel extra libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_hppa.deb
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Package-Type: udeb