lp://staging/ubuntu/feisty-updates/openssl

Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/feisty-updates/openssl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

15. By Kees Cook

* SECURITY UPDATE: PRNG seeding was not fully operational.
* crypto/rand/md_rand.c: restore upstream code.

14. By Kees Cook

* SECURITY UPDATE: DTLS implementation can lead to remote code execution.
* ssl/{ssl_err,d1_both}.c, ssl/{dtls1,ssl}.h: patched inline with upstream
  fixes backported thanks to Ludwig Nussel.
* References
  http://www.openssl.org/news/secadv_20071012.txt
  CVE-2007-4995

13. By Kees Cook

[ Jamie Strandboge ]
* SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in
  buffer overflow
* ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to
  Stephan Hermann
* References:
  CVE-2007-5135
  http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
  Fixes LP: #146269
* Modify Maintainer value to match the DebianMaintainerField
  specification.

[ Kees Cook ]
* SECURITY UPDATE: side-channel attacks via BN_from_montgomery function.
* crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian.
* References
  CVE-2007-3108

12. By Matthias Klose

Rebuild for changes in the amd64 toolchain.

11. By Kurt Roeckx

* Add German debconf translation. Thanks to
  Johannes Starosta <email address hidden> (Closes: #388108)
* Make c_rehash look for both .pem and .crt files. Also make it support
  files in DER format. Patch by "Yauheni Kaliuta" <email address hidden>
  (Closes: #387089)
* Use & instead of && to check a flag in the X509 policy checking.
  Patch from upstream cvs. (Closes: #397151)
* Also restart slapd for security updates (Closes: #400221)
* Add Romanian debconf translation. Thanks to
  stan ioan-eugen <email address hidden> (Closes: #393507)

10. By Kurt Roeckx

Fix patch for CVE-2006-2940, it left ctx unintiliased.

9. By Martin Pitt

* SECURITY UPDATE: Remote arbitrary code execution, remote DoS.
* crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
  an infinite loop in some circumstances. [CVE-2006-2937]
* ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
  handle invalid long cipher list strings. [CVE-2006-3738]
* ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
  avoid client crash with malicious server responses. [CVE-2006-4343]
* Certain types of public key could take disproportionate amounts of time to
  process. Apply patch from Bodo Moeller to impose limits to public key type
  values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
* Updated patch in previous package version to fix a few corner-case
  regressions. (This reverts the changes to rsa_eay.c/rsa.h/rsa_err.c, which
  were determined to not be necessary).

8. By Martin Pitt

* SECURITY UPDATE: signature forgery in some cases.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
  - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
    applications from incorrectly verifying the certificate.
* References:
  CVE-2006-4339
  http://www.openssl.org/news/secadv_20060905.txt

7. By Colin Watson

Rebuild with current zlib1g-dev to fix udeb shlibdeps.

6. By Kurt Roeckx

* Don't call gcc with -mcpu on i386, we already use -march, so no need for
  -mtune either.
* Always make all directories when building something:
  - The engines directory didn't get build for the static directory, so
    where missing in libcrypo.a
  - The apps directory didn't always get build, so we didn't have an openssl
    and a small part of the regression tests failed.
* Make the package fail to build if the regression tests fail.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/lucid/openssl
This branch contains Public information 
Everyone can see this information.

Subscribers