Ubuntu
openssl package

lp://staging/ubuntu/hoary-security/openssl

Hoary (5.04)
hoary-security

Created by James Westby on 2009-12-02 and last modified on 2009-12-02

Get this branch:: bzr branch lp://staging/ubuntu/hoary-security/openssl

Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

No branches dependent on this one.

Related bugs

Link a bug report

Related blueprints

Branch information

Owner:: Ubuntu branches

Review team:: Ubuntu Development Team

Status:: Development

Recent revisions

7. By Martin Pitt on 2006-10-04: * SECURITY UPDATE: Previous update did not completely fix CVE-2006-2940.
* crypto/rsa/rsa_eay.c: Apply max. modulus bits checking to
  RSA_eay_public_decrypt() instead of RSA_eay_private_encrypt(). Thanks to
  Mark J. Cox for noticing!
* crypto/dh/dh_key.c: Fix return value to prevent free'ing an uninit'ed
  pointer.
6. By Martin Pitt on 2006-09-27: * SECURITY UPDATE: Remote arbitrary code execution, remote DoS.
* crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
  an infinite loop in some circumstances. [CVE-2006-2937]
* ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
  handle invalid long cipher list strings. [CVE-2006-3738]
* ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
  avoid client crash with malicious server responses. [CVE-2006-4343]
* Certain types of public key could take disproportionate amounts of time to
  process. Apply patch from Bodo Moeller to impose limits to public key type
  values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
* Updated patch in previous package version to fix a few corner-case
  regressions. (This reverts the changes to rsa_eay.c/rsa.h/rsa_err.c, which
  were determined to not be necessary).
5. By Martin Pitt on 2006-09-05: * SECURITY UPDATE: signature forgery in some cases.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
  - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
    applications from incorrectly verifying the certificate.
* References:
  CVE-2006-4339
  http://www.openssl.org/news/secadv_20060905.txt
4. By Martin Pitt on 2005-10-13: * SECURITY UPDATE: Fix cryptographic weakness.
* ssl/s23_srvr.c:
  - When using SSL_OP_MSIE_SSLV2_RSA_PADDING, do not disable the
    protocol-version rollback check, so that a man-in-the-middle cannot
    force a client and server to fall back to the insecure SSL 2.0 protocol.
  - Problem discovered by Yutaka Oiwa.
* References:
  CAN-2005-2969
  http://www.openssl.org/news/secadv_20051011.txt
3. By Christoph Martin <email address hidden> on 2004-12-16: * really fix der_chop. The fix from -1 was not really included (closes:
  #281212)
* still fixes security problem CAN-2004-0975 etc.
  - tempfile raise condition in der_chop
  - Avoid a race condition when CRLs are checked in a multi threaded
    environment.
2. By Christoph Martin <email address hidden> on 2004-05-24: rename -pic.a libraries to _pic.a (closes: #250016)
1. By Christoph Martin <email address hidden> on 2004-05-24: Import upstream version 0.9.7d

Branch metadata

Branch format:: Branch format 7

Repository format:: Bazaar repository format 2a (needs bzr 1.16 or later)

Stacked on:: lp://staging/ubuntu/lucid/openssl

This branch contains Public information

Everyone can see this information.

Subscribers

James Westby

Ubuntuopenssl package