lp://staging/ubuntu/precise-proposed/openssl

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

84. By Marc Deslauriers on 2015-02-26

* Fix DTLS handshake on amd64 (LP: #1425914)
  - debian/patches/lp1425914.patch: backport upstream patch that fixes
    alignment issue causing an assert in ssl/ssl_ciph.c.

83. By Seth Arnold on 2013-06-03

* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
  (LP: #1187195)
  - CVE-2012-4929
  - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
    zlib to compress SSL/TLS unless the environment variable
    OPENSSL_DEFAULT_ZLIB is set in the environment during library
    initialization.
  - Introduced to assist with programs not yet updated to provide their own
    controls on compression, such as Postfix
  - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch

82. By Marc Deslauriers on 2013-03-19

* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
    commits from upstream to fix regression.
  - CVE-2013-0169

81. By Marc Deslauriers on 2013-02-28

* REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
  LP: #1133333)
  - debian/patches/CVE-2013-0169.patch: disabled for now until fix is
    available from upstream.

80. By Marc Deslauriers on 2013-02-18

* SECURITY UPDATE: denial of service via invalid OCSP key
  - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
    crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
  - CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: massive code changes
  - CVE-2013-0169
* SECURITY UPDATE: denial of service via AES-NI and crafted CBC data
  - Fix included in CVE-2013-0169 patch
  - CVE-2012-2686

79. By Marc Deslauriers on 2012-07-03

* SECURITY UPDATE: SSL_OP_ALL incorrectly disables TLS 1.1 (LP: #1018998)
  - debian/patches/lp1018998.patch: change SSL_OP_NO_TLSv1_1 from
    0x00000400L to 0x10000000L as in 1.0.1b to prevent applications
    compiled with SSL_OP_ALL from incorrectly disabling TLS 1.1.
* debian/patches/lp1020621.patch: Make renegotiation work for TLS 1.2, 1.1
  by not using a lower record version client hello workaround if
  renegotiating. (LP: #1020621)

78. By Steve Beattie on 2012-05-22

* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
  TLS v1.2 implementation
  - debian/patches/CVE_2012-2333.patch: guard for integer overflow
    before skipping explicit IV
  - CVE-2012-2333
* debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen
  properly when encrypting CMS messages.

77. By Jamie Strandboge on 2012-04-19

* SECURITY UPDATE: fix various overflows
  - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
    crypto/buffer.c and crypto/mem.c to verify size of lengths
  - CVE-2012-2110

76. By Colin Watson on 2012-04-18

* Backport more upstream patches to work around TLS 1.2 failures
  (LP #965371):
  - Do not use record version number > TLS 1.0 in initial client hello:
    some (but not all) hanging servers will now work.
  - Truncate the number of ciphers sent in the client hello to 50. Most
    broken servers should now work.
  - Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
  sites listed in the above bug and its duplicates still fail if I do that
  versus leaving it disabled.

75. By Colin Watson on 2012-04-18

releasing version 1.0.1-4ubuntu1