lp://staging/ubuntu/feisty-updates/openssl

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

15. By Kees Cook on 2008-05-08

* SECURITY UPDATE: PRNG seeding was not fully operational.
* crypto/rand/md_rand.c: restore upstream code.

14. By Kees Cook on 2007-10-19

* SECURITY UPDATE: DTLS implementation can lead to remote code execution.
* ssl/{ssl_err,d1_both}.c, ssl/{dtls1,ssl}.h: patched inline with upstream
  fixes backported thanks to Ludwig Nussel.
* References
  http://www.openssl.org/news/secadv_20071012.txt
  CVE-2007-4995

13. By Kees Cook on 2007-09-28

[ Jamie Strandboge ]
* SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in
  buffer overflow
* ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to
  Stephan Hermann
* References:
  CVE-2007-5135
  http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
  Fixes LP: #146269
* Modify Maintainer value to match the DebianMaintainerField
  specification.

[ Kees Cook ]
* SECURITY UPDATE: side-channel attacks via BN_from_montgomery function.
* crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian.
* References
  CVE-2007-3108

12. By Matthias Klose on 2007-03-05

Rebuild for changes in the amd64 toolchain.

11. By Kurt Roeckx on 2006-11-30

* Add German debconf translation. Thanks to
  Johannes Starosta <email address hidden> (Closes: #388108)
* Make c_rehash look for both .pem and .crt files. Also make it support
  files in DER format. Patch by "Yauheni Kaliuta" <email address hidden>
  (Closes: #387089)
* Use & instead of && to check a flag in the X509 policy checking.
  Patch from upstream cvs. (Closes: #397151)
* Also restart slapd for security updates (Closes: #400221)
* Add Romanian debconf translation. Thanks to
  stan ioan-eugen <email address hidden> (Closes: #393507)

10. By Kurt Roeckx on 2006-10-02

Fix patch for CVE-2006-2940, it left ctx unintiliased.

9. By Martin Pitt on 2006-09-27

* SECURITY UPDATE: Remote arbitrary code execution, remote DoS.
* crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
  an infinite loop in some circumstances. [CVE-2006-2937]
* ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
  handle invalid long cipher list strings. [CVE-2006-3738]
* ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
  avoid client crash with malicious server responses. [CVE-2006-4343]
* Certain types of public key could take disproportionate amounts of time to
  process. Apply patch from Bodo Moeller to impose limits to public key type
  values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
* Updated patch in previous package version to fix a few corner-case
  regressions. (This reverts the changes to rsa_eay.c/rsa.h/rsa_err.c, which
  were determined to not be necessary).

8. By Martin Pitt on 2006-09-05

* SECURITY UPDATE: signature forgery in some cases.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
  - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
    applications from incorrectly verifying the certificate.
* References:
  CVE-2006-4339
  http://www.openssl.org/news/secadv_20060905.txt

7. By Colin Watson on 2006-07-31

Rebuild with current zlib1g-dev to fix udeb shlibdeps.

6. By Kurt Roeckx on 2006-05-15

* Don't call gcc with -mcpu on i386, we already use -march, so no need for
  -mtune either.
* Always make all directories when building something:
  - The engines directory didn't get build for the static directory, so
    where missing in libcrypo.a
  - The apps directory didn't always get build, so we didn't have an openssl
    and a small part of the regression tests failed.
* Make the package fail to build if the regression tests fail.