lp://staging/ubuntu/utopic-proposed/openssl098
- Get this branch:
- bzr branch lp://staging/ubuntu/utopic-proposed/openssl098
Branch merges
Related source package recipes
Branch information
Recent revisions
- 7. By Marc Deslauriers
-
[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
(LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
- debian/patches/ CVE-2014- 0224-1. patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/ CVE-2014- 0224-2. patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/ CVE-2014- 0224-3. patch: allow CCS after resumption in
ssl/s3_clnt.c.
- debian/patches/ CVE-2014- 0224-regression 2.patch: accept CCS after
sending finished ssl/s3_clnt.c.
- CVE-2014-0224
* SECURITY UPDATE: denial of service via DTLS recursion flaw
- debian/patches/ CVE-2014- 0221.patch: handle DTLS hello request without
recursion in ssl/d1_both.c.
- CVE-2014-0221
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/ CVE-2014- 0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/ CVE-2013- 0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/ CVE-2013- 0166.patch: properly handle NULL key in
crypto/asn1/a_ verify. c, crypto/ ocsp/ocsp_ vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: denial of service attack in DTLS implementation
- debian/patches/ CVE_2012- 2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
- debian/patches/ CVE-2012- 0884.patch: use a random key if RSA
decryption fails to avoid leaking timing information
- debian/patches/ CVE-2012- 0884-extra. patch: detect symmetric crypto
errors in PKCS7_decrypt and initialize tkeylen properly when
encrypting CMS messages.
- CVE-2012-0884[ Marc Deslauriers ]
* debian/patches/ rehash_ pod.patch: updated to fix FTBFS.
* debian/patches/ fix-pod- errors. patch: fix other pod files to fix FTBFS. - 6. By Jamie Strandboge
-
* Bring up to date with latest security patches from Ubuntu 11.04:
* SECURITY UPDATE: ECDSA private key timing attack
- debian/patches/ CVE-2011- 1945.patch: compute with fixed scalar
length
- CVE-2011-1945
* SECURITY UPDATE: ECDH ciphersuite denial of service
- debian/patches/ CVE-2011- 3210.patch: fix memory usage for thread
safety
- CVE-2011-3210
* SECURITY UPDATE: DTLS plaintext recovery attack
- debian/patches/ CVE-2011- 4108.patch: perform all computations
before discarding messages
- CVE-2011-4108
* SECURITY UPDATE: policy check double free vulnerability
- debian/patches/ CVE-2011- 4019.patch: only free domain policyin
one location
- CVE-2011-4019
* SECURITY UPDATE: SSL 3.0 block padding exposure
- debian/patches/ CVE-2011- 4576.patch: clear bytes used for block
padding of SSL 3.0 records.
- CVE-2011-4576
* SECURITY UPDATE: malformed RFC 3779 data denial of service attack
- debian/patches/ CVE-2011- 4577.patch: prevent malformed RFC3779
data from triggering an assertion failure
- CVE-2011-4577
* SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
- debian/patches/ CVE-2011- 4619.patch: Only allow one SGC handshake
restart for SSL/TLS.
- CVE-2011-4619
* SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
- debian/patches/ CVE-2012- 0050.patch: improve handling of DTLS MAC
- CVE-2012-0050
* SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
headers
- debian/patches/ CVE-2006- 7250+2012- 1165.patch: adjust mime_hdr_cmp()
and mime_param_cmp() to not dereference the compared strings if either
is NULL
- CVE-2006-7250
- CVE-2012-1165
* SECURITY UPDATE: fix various overflows
- debian/patches/ CVE-2012- 2110.patch: adjust crypto/a_d2i_fp.c,
crypto/buffer.c and crypto/mem.c to verify size of lengths
- CVE-2012-2110
* SECURITY UPDATE: incomplete fix for CVE-2012-2110
- debian/patches/ CVE-2012- 2131.patch: also verify 'len' in BUF_MEM_grow
and BUF_MEM_grow_clean is non-negative
- CVE-2012-2131
* debian/patches/ CVE-2012- 2110b.patch: Use correct error code in
BUF_MEM_grow_clean( ) - 4. By Colin Watson
-
* Add openssl098 compatibility package from Debian, reapplying the
corresponding Ubuntu changes to openssl:
- debian/libssl0. 9.8.postinst: Use a different priority for
libssl0.9.8/restart- services depending on whether a desktop or server
dist-upgrade is being performed.
- debian/{libcrypto0. 9.8-udeb. dirs, libssl0.9.8.dirs, libssl0.9.8.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/ aesni.patch: Backport Intel AES-NI support from
http://rt.openssl. org/Ticket/ Display. html?id= 2067.
- debian/patches/ Bsymbolic- functions. patch: Link using
-Bsymbolic-functions.
- debian/patches/ perlpath- quilt.patch: Don't change perl #! paths under
.pc.
- debian/patches/ no-sslv2. patch: Disable SSLv2 to match NSS and GnuTLS.
The protocol is unsafe and extremely deprecated. (Closes: #589706)
- debian/rules:
+ Disable SSLv2 during compile. (Closes: #589706)
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
(Closes: #465248)
+ Don't build for processors no longer supported: i486, i586 (on
i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
(Closes: #611667)
* Dropped changes no longer required in this compatibility package:
- Display a system-restart- required notification on libssl0.9.8 upgrade.
(libssl1.0.0 will take care of this from now on.)
- Create libssl0.9.8-udeb.
- Move documentation to openssl-doc.
- Replace duplicate files in the doc directory with symlinks.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/vivid/openssl098
