lp://staging/ubuntu/quantal-security/openssl

Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp://staging/ubuntu/quantal-security/openssl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

92. By Marc Deslauriers

* SECURITY UPDATE: denial of service via use after free
  - debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before
    releasing buffers in ssl/s3_pkt.c.
  - CVE-2010-5298
* SECURITY UPDATE: denial of service via null pointer dereference
  - debian/patches/CVE-2014-0198.patch: if buffer was released, get a new
    one in ssl/s3_pkt.c.
  - CVE-2014-0198

91. By Marc Deslauriers

* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
  - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
    crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
    util/libeay.num.
  - CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
  - debian/patches/CVE-2014-0160.patch: use correct lengths in
    ssl/d1_both.c, ssl/t1_lib.c.
  - CVE-2014-0160

90. By Marc Deslauriers

* SECURITY UPDATE: denial of service via invalid TLS handshake
  - debian/patches/CVE-2013-4353.patch: handle no new cipher setup in
    ssl/s3_both.c.
  - CVE-2013-4353
* SECURITY UPDATE: denial of service via incorrect data structure
  - debian/patches/CVE-2013-6449.patch: check for handshake digests in
    ssl/s3_both.c,ssl/s3_pkt.c,ssl/t1_enc.c, use proper version in
    ssl/s3_lib.c.
  - CVE-2013-6449
* SECURITY UPDATE: denial of service via DTLS retransmission
  - debian/patches/CVE-2013-6450.patch: fix DTLS retransmission in
    crypto/evp/digest.c,ssl/d1_both.c,ssl/s3_pkt.c,ssl/s3_srvr.c,
    ssl/ssl_locl.h,ssl/t1_enc.c.
  - CVE-2013-6450
* debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
  default unless explicitly requested.

89. By Seth Arnold

* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
  (LP: #1187195)
  - CVE-2012-4929
  - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
    zlib to compress SSL/TLS unless the environment variable
    OPENSSL_DEFAULT_ZLIB is set in the environment during library
    initialization.
  - Introduced to assist with programs not yet updated to provide their own
    controls on compression, such as Postfix
  - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch

88. By Marc Deslauriers

* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
    commit from upstream to fix regression.
  - CVE-2013-0169

87. By Marc Deslauriers

* REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
  LP: #1133333)
  - debian/patches/CVE-2013-0169.patch: disabled for now until fix is
    available from upstream.

86. By Marc Deslauriers

* SECURITY UPDATE: denial of service via invalid OCSP key
  - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
    crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
  - CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: massive code changes
  - CVE-2013-0169
* SECURITY UPDATE: denial of service via AES-NI and crafted CBC data
  - Fix included in CVE-2013-0169 patch
  - CVE-2012-2686

85. By Tyler Hicks

[ Tyler Hicks <email address hidden> ]
* debian/patches/tls12_workarounds.patch: Readd the change to check
  TLS1_get_client_version rather than TLS1_get_version to fix incorrect
  client hello cipher list truncation when TLS 1.1 and lower is in use.
  (LP: #1051892)

[ Micah Gersten <email address hidden> ]
* Mark Debian Vcs-* as XS-Debian-Vcs-*
  - update debian/control

84. By Marc Deslauriers

* Resynchronise with Debian. Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates rather
    than exactly one.
  - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
  - debian/patches/tls12_workarounds.patch: workaround large client hello
    issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and
    with -DOPENSSL_NO_TLS1_2_CLIENT.
* Dropped upstreamed patches:
  - debian/patches/CVE-2012-2110.patch
  - debian/patches/CVE-2012-2110b.patch
  - debian/patches/CVE-2012-2333.patch
  - debian/patches/CVE-2012-0884-extra.patch
  - most of debian/patches/tls12_workarounds.patch

83. By Steve Beattie

* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
  TLS v1.2 implementation
  - debian/patches/CVE_2012-2333.patch: guard for integer overflow
    before skipping explicit IV
  - CVE-2012-2333
* debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen
  properly when encrypting CMS messages.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/trusty/openssl
This branch contains Public information 
Everyone can see this information.

Subscribers