Format: 1.8 Date: Wed, 02 Jul 2014 09:13:28 -0400 Source: openssl098 Binary: libssl0.9.8 libssl0.9.8-dbg libcrypto0.9.8-udeb Architecture: i386 Version: 0.9.8o-7ubuntu3.2.14.04.1 Distribution: trusty Urgency: medium Maintainer: Ubuntu/amd64 Build Daemon Changed-By: Marc Deslauriers Description: libcrypto0.9.8-udeb - crypto shared library - udeb (udeb) libssl0.9.8 - SSL shared libraries libssl0.9.8-dbg - Symbol tables for libssl and libcrypto Launchpad-Bugs-Fixed: 1331452 Changes: openssl098 (0.9.8o-7ubuntu3.2.14.04.1) trusty-security; urgency=medium . [ Louis Bouchard ] * Bring up to date with latest security patches from Ubuntu 10.04: (LP: #1331452) * SECURITY UPDATE: MITM via change cipher spec - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, ssl/ssl3.h. - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master secrets in ssl/s3_pkt.c. - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in ssl/s3_clnt.c. - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after sending finished ssl/s3_clnt.c. - CVE-2014-0224 * SECURITY UPDATE: denial of service via DTLS recursion flaw - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without recursion in ssl/d1_both.c. - CVE-2014-0221 * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS fragments in ssl/d1_both.c. - CVE-2014-0195 * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: massive code changes - CVE-2013-0169 * SECURITY UPDATE: denial of service via invalid OCSP key - debian/patches/CVE-2013-0166.patch: properly handle NULL key in crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. - CVE-2013-0166 * SECURITY UPDATE: denial of service attack in DTLS implementation - debian/patches/CVE_2012-2333.patch: guard for integer overflow before skipping explicit IV - CVE-2012-2333 * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7 - debian/patches/CVE-2012-0884.patch: use a random key if RSA decryption fails to avoid leaking timing information - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto errors in PKCS7_decrypt and initialize tkeylen properly when encrypting CMS messages. - CVE-2012-0884 . [ Marc Deslauriers ] * debian/patches/rehash_pod.patch: updated to fix FTBFS. * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS. Checksums-Sha1: 77a3c139238cc76eb9cf949349fea7bfd53ac43a 684636 libssl0.9.8_0.9.8o-7ubuntu3.2.14.04.1_i386.deb 827d9aad6f1110b305e8e27f261c8b1ee08e9ff3 1296906 libssl0.9.8-dbg_0.9.8o-7ubuntu3.2.14.04.1_i386.deb fcaf25c3a4de47544e75772f3c8fd4e863439fae 496946 libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2.14.04.1_i386.udeb Checksums-Sha256: a2dc94b4b78479ebdeb3c6c1d93b73ab5d6304337d860a5adc0549a830326b81 684636 libssl0.9.8_0.9.8o-7ubuntu3.2.14.04.1_i386.deb bf0e208525862f5850dce57578b01440a80f36da35dc1ac51f98be2b3182a149 1296906 libssl0.9.8-dbg_0.9.8o-7ubuntu3.2.14.04.1_i386.deb bc7b2ee1587ade01404402122aba5e7ad3f3f4745449610154f2f55cc55f648f 496946 libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2.14.04.1_i386.udeb Files: 80bd1a38724d8f3963ce96e8f436006d 684636 libs important libssl0.9.8_0.9.8o-7ubuntu3.2.14.04.1_i386.deb 8e2b9c01fc05a8078c03457a6d2f5b74 1296906 debug extra libssl0.9.8-dbg_0.9.8o-7ubuntu3.2.14.04.1_i386.deb bd90cde072d31856b701190512612d9a 496946 debian-installer optional libcrypto0.9.8-udeb_0.9.8o-7ubuntu3.2.14.04.1_i386.udeb Original-Maintainer: Debian OpenSSL Team Package-Type: udeb