lp://staging/ubuntu/precise-proposed/openssl
- Get this branch:
- bzr branch lp://staging/ubuntu/precise-proposed/openssl
Branch merges
Branch information
Recent revisions
- 84. By Marc Deslauriers
-
* Fix DTLS handshake on amd64 (LP: #1425914)
- debian/patches/ lp1425914. patch: backport upstream patch that fixes
alignment issue causing an assert in ssl/ssl_ciph.c. - 83. By Seth Arnold
-
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/ openssl- 1.0.1e- env-zlib. patch: disable default use of
zlib to compress SSL/TLS unless the environment variable
OPENSSL_DEFAULT_ ZLIB is set in the environment during library
initialization.
- Introduced to assist with programs not yet updated to provide their own
controls on compression, such as Postfix
- http://pkgs.fedoraproj ect.org/ cgit/openssl. git/plain/ openssl- 1.0.1e- env-zlib. patch - 82. By Marc Deslauriers
-
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/ CVE-2013- 0169.patch: re-enabled patch and added extra
commits from upstream to fix regression.
- CVE-2013-0169 - 81. By Marc Deslauriers
-
* REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
LP: #1133333)
- debian/patches/ CVE-2013- 0169.patch: disabled for now until fix is
available from upstream. - 80. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/ CVE-2013- 0166.patch: properly handle NULL key in
crypto/asn1/a_ verify. c, crypto/ ocsp/ocsp_ vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/ CVE-2013- 0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via AES-NI and crafted CBC data
- Fix included in CVE-2013-0169 patch
- CVE-2012-2686 - 79. By Marc Deslauriers
-
* SECURITY UPDATE: SSL_OP_ALL incorrectly disables TLS 1.1 (LP: #1018998)
- debian/patches/ lp1018998. patch: change SSL_OP_NO_TLSv1_1 from
0x00000400L to 0x10000000L as in 1.0.1b to prevent applications
compiled with SSL_OP_ALL from incorrectly disabling TLS 1.1.
* debian/patches/ lp1020621. patch: Make renegotiation work for TLS 1.2, 1.1
by not using a lower record version client hello workaround if
renegotiating. (LP: #1020621) - 78. By Steve Beattie
-
* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
TLS v1.2 implementation
- debian/patches/ CVE_2012- 2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* debian/patches/ CVE-2012- 0884-extra. patch: initialize tkeylen
properly when encrypting CMS messages. - 77. By Jamie Strandboge
-
* SECURITY UPDATE: fix various overflows
- debian/patches/ CVE-2012- 2110.patch: adjust crypto/a_d2i_fp.c,
crypto/buffer.c and crypto/mem.c to verify size of lengths
- CVE-2012-2110 - 76. By Colin Watson
-
* Backport more upstream patches to work around TLS 1.2 failures
(LP #965371):
- Do not use record version number > TLS 1.0 in initial client hello:
some (but not all) hanging servers will now work.
- Truncate the number of ciphers sent in the client hello to 50. Most
broken servers should now work.
- Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
sites listed in the above bug and its duplicates still fail if I do that
versus leaving it disabled.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/trusty/openssl