Format: 1.8 Date: Wed, 18 Jun 2014 12:22:48 +0200 Source: openssl098 Binary: libssl0.9.8 libssl0.9.8-dbg libcrypto0.9.8-udeb Architecture: i386 Version: 0.9.8o-7ubuntu3.2 Distribution: precise Urgency: medium Maintainer: Ubuntu/amd64 Build Daemon Changed-By: Louis Bouchard Description: libcrypto0.9.8-udeb - crypto shared library - udeb (udeb) libssl0.9.8 - SSL shared libraries libssl0.9.8-dbg - Symbol tables for libssl and libcrypto Launchpad-Bugs-Fixed: 1331452 1332643 Changes: openssl098 (0.9.8o-7ubuntu3.2) precise-security; urgency=medium . * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643) - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after sending finished ssl/s3_clnt.c. * Bring up to date with latest security patches from Ubuntu 10.04: (LP: #1331452) * SECURITY UPDATE: MITM via change cipher spec - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, ssl/ssl3.h. - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master secrets in ssl/s3_pkt.c. - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in ssl/s3_clnt.c. - CVE-2014-0224 * SECURITY UPDATE: denial of service via DTLS recursion flaw - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without recursion in ssl/d1_both.c. - CVE-2014-0221 * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS fragments in ssl/d1_both.c. - CVE-2014-0195 * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: massive code changes - CVE-2013-0169 * SECURITY UPDATE: denial of service via invalid OCSP key - debian/patches/CVE-2013-0166.patch: properly handle NULL key in crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. - CVE-2013-0166 * SECURITY UPDATE: denial of service attack in DTLS implementation - debian/patches/CVE_2012-2333.patch: guard for integer overflow before skipping explicit IV - CVE-2012-2333 * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7 - debian/patches/CVE-2012-0884.patch: use a random key if RSA decryption fails to avoid leaking timing information - CVE-2012-0884 * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto - errors in PKCS7_decrypt and initialize tkeylen properly when encrypting CMS messages. Checksums-Sha1: 11cc372b83f48faf2c37a68ec1cb906a27ba5ac5 872098 libssl0.9.8_0.9.8o-7ubuntu3.2_i386.deb 8f3e40d806d72ef83bfd4d2184ca5621d95891cf 1592964 libssl0.9.8-dbg_0.9.8o-7ubuntu3.2_i386.deb 14a7473be69674792b1479d223c8b0e8515165ba 630112 libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2_i386.udeb Checksums-Sha256: d7bcfbfa50962855ce96aa5ed2c1547dcd0a148e7a57d9e58b5dbabb00b5ce5a 872098 libssl0.9.8_0.9.8o-7ubuntu3.2_i386.deb d0292d8bfb2d144afa792e0eed74fff834e8c033a09f1dacc1c05c6a2aaff3b6 1592964 libssl0.9.8-dbg_0.9.8o-7ubuntu3.2_i386.deb 8c16d23179876a163d19901a706f0da03e17076e549257271f66fca5efb0c7dc 630112 libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2_i386.udeb Files: f00a333985a3e23dacc4e492f4453e98 872098 libs important libssl0.9.8_0.9.8o-7ubuntu3.2_i386.deb 6e72e162f076ed22063437e6ce944199 1592964 debug extra libssl0.9.8-dbg_0.9.8o-7ubuntu3.2_i386.deb f3ab555a0b9548a4c3d9c29185b84699 630112 debian-installer optional libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2_i386.udeb Original-Maintainer: Debian OpenSSL Team Package-Type: udeb