Format: 1.8 Date: Wed, 18 Jun 2014 12:22:48 +0200 Source: openssl098 Binary: libssl0.9.8 libssl0.9.8-dbg libcrypto0.9.8-udeb Architecture: armhf Version: 0.9.8o-7ubuntu3.2 Distribution: precise Urgency: medium Maintainer: Ubuntu/armhf Build Daemon Changed-By: Louis Bouchard Description: libcrypto0.9.8-udeb - crypto shared library - udeb (udeb) libssl0.9.8 - SSL shared libraries libssl0.9.8-dbg - Symbol tables for libssl and libcrypto Launchpad-Bugs-Fixed: 1331452 1332643 Changes: openssl098 (0.9.8o-7ubuntu3.2) precise-security; urgency=medium . * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643) - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after sending finished ssl/s3_clnt.c. * Bring up to date with latest security patches from Ubuntu 10.04: (LP: #1331452) * SECURITY UPDATE: MITM via change cipher spec - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, ssl/ssl3.h. - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master secrets in ssl/s3_pkt.c. - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in ssl/s3_clnt.c. - CVE-2014-0224 * SECURITY UPDATE: denial of service via DTLS recursion flaw - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without recursion in ssl/d1_both.c. - CVE-2014-0221 * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS fragments in ssl/d1_both.c. - CVE-2014-0195 * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: massive code changes - CVE-2013-0169 * SECURITY UPDATE: denial of service via invalid OCSP key - debian/patches/CVE-2013-0166.patch: properly handle NULL key in crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. - CVE-2013-0166 * SECURITY UPDATE: denial of service attack in DTLS implementation - debian/patches/CVE_2012-2333.patch: guard for integer overflow before skipping explicit IV - CVE-2012-2333 * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7 - debian/patches/CVE-2012-0884.patch: use a random key if RSA decryption fails to avoid leaking timing information - CVE-2012-0884 * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto - errors in PKCS7_decrypt and initialize tkeylen properly when encrypting CMS messages. Checksums-Sha1: 6d20d934ab790c5efb7fe9050a0eadf3ec407d85 711126 libssl0.9.8_0.9.8o-7ubuntu3.2_armhf.deb 625409b16ebc445ea32e90fa5b104291c3db9656 1562424 libssl0.9.8-dbg_0.9.8o-7ubuntu3.2_armhf.deb 4989c5a539489f7034ac065ceb91852809d877dd 508338 libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2_armhf.udeb Checksums-Sha256: d66b75897e987265895d73559a1ebacd56b0fab2c590b7cb0a6cd05bf4a3af75 711126 libssl0.9.8_0.9.8o-7ubuntu3.2_armhf.deb 5f23fd51e36232797ba66410abf8a1a059e5985d86da1172a42d7477cbf33efa 1562424 libssl0.9.8-dbg_0.9.8o-7ubuntu3.2_armhf.deb e42389da8c00af06efdba8f1e91be45a6944432768d2d4d220a3abee449c0a7e 508338 libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2_armhf.udeb Files: 754b7de7cf7310f0d55b52d0ba9f1f6d 711126 libs important libssl0.9.8_0.9.8o-7ubuntu3.2_armhf.deb 3238d157574d214597b752c5ab0b3c8e 1562424 debug extra libssl0.9.8-dbg_0.9.8o-7ubuntu3.2_armhf.deb 99e1d46209e33fb5aeeca470ed385279 508338 debian-installer optional libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2_armhf.udeb Original-Maintainer: Debian OpenSSL Team Package-Type: udeb