Format: 1.7
Date: Thu, 11 Jun 2009 10:26:30 -0400
Source: openssl
Binary: openssl openssl-doc libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: ia64_translations ia64
Version: 0.9.8g-4ubuntu3.7
Distribution: hardy
Urgency: low
Maintainer: Ubuntu/ia64 Build Daemon <buildd@hooker.buildd>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
 openssl-doc - Secure Socket Layer (SSL) documentation
Changes: 
 openssl (0.9.8g-4ubuntu3.7) hardy-security; urgency=low
 .
   * SECURITY UPDATE: denial of service via memory consumption from large
     number of future epoch DTLS records.
     - crypto/pqueue.*: add new pqueue_size counter function.
     - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
     - http://cvs.openssl.org/chngview?cn=18187
     - CVE-2009-1377
   * SECURITY UPDATE: denial of service via memory consumption from
     duplicate or invalid sequence numbers in DTLS records.
     - ssl/d1_both.c: discard message if it's a duplicate or too far in the
       future.
     - http://marc.info/?l=openssl-dev&m=124263491424212&w=2
     - CVE-2009-1378
   * SECURITY UPDATE: denial of service or other impact via use-after-free
     in dtls1_retrieve_buffered_fragment.
     - ssl/d1_both.c: use temp frag_len instead of freed frag.
     - http://rt.openssl.org/Ticket/Display.html?id=1923
     - CVE-2009-1379
   * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
     that occurs before ClientHello.
     - ssl/s3_pkt.c: abort if s->session is NULL.
     - ssl/{ssl.h,ssl_err.c}: add new error codes.
     - http://cvs.openssl.org/chngview?cn=17369
     - CVE-2009-1386
   * SECURITY UPDATE: denial of service via an out-of-sequence DTLS
     handshake message.
     - ssl/d1_both.c: don't buffer fragments with no data.
     - http://cvs.openssl.org/chngview?cn=17958
     - CVE-2009-1387
Files: 
 d70c2a3e7d278355cfa323d2bcea0f5c 17360 raw-translations - openssl_0.9.8g-4ubuntu3.7_ia64_translations.tar.gz
 c6df9cc3c6cb77c82ac366d2c76d1dae 468198 utils optional openssl_0.9.8g-4ubuntu3.7_ia64.deb
 9dfe897163373c084e225f9b2e419e52 1233382 libs important libssl0.9.8_0.9.8g-4ubuntu3.7_ia64.deb
 494a1707a2385dc11330aa8f43692794 827644 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_ia64.udeb
 b1f792dc17f8ea8a407b3a23ca8bc430 2483502 libdevel optional libssl-dev_0.9.8g-4ubuntu3.7_ia64.deb
 3917aa0f043ed12bbb8b2c61adc57af7 1510278 libdevel extra libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_ia64.deb
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Package-Type: udeb