[Bug 850608] [NEW] Please merge openssl 1.0.0e-2 from debian
Steve Beattie
sbeattie at ubuntu.com
Thu Sep 15 05:05:42 UTC 2011
Public bug reported:
openssl 1.0.0e-2 fixes CVE-2011-1945, CVE-2011-3207 and CVE-2011-3210,
as well as includes blacklisting of DigiNotar certificates (to catch
some compromised subsidiary DigiNotar certificates that were cross-
signed by other CAs; thus the removal of the DigiNotar CA certificate
from ca-certificates won't block their usage).
The debian changes since 1.0.0d-2 are all bugfixes:
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_MULTIARCH)
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 17:02:29 +0200
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <geissert at debian.org>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <Klaus at Ethgen.de>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <khimov at altell.ru>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <aurel32 at debian.org>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 12:03:13 +0200
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
* Apply patches from Scott Schaefer <saschaefer at neurodiverse.org> to
fix various pod and spelling errors. (Closes: #622820, #605561)
* Add missing symbols for the engines (Closes: #623038)
* More spelling fixes from Scott Schaefer (Closes: #395424)
* Patch from Scott Schaefer to better document pkcs12 password options
(Closes: #462489)
* Document dgst -hmac option. Patch by Thorsten Glaser <tg at mirbsd.de>
(Closes: #529586)
-- Kurt Roeckx <kurt at roeckx.be> Mon, 13 Jun 2011 12:39:54 +0200
and the upstream release 1.0.0e is a bugfix-only release as well:
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+ *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+ by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ [Kaspar Brand <ossl at velox.ch>]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH. (CVE-2011-3210)
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+ signature public key algorithm by using OID xref utilities instead.
+ Before this you could only use some ECC ciphersuites with SHA1 only.
+ [Steve Henson]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://eprint.iacr.org/2011/232.pdf
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/850608
Title:
Please merge openssl 1.0.0e-2 from debian
Status in “openssl” package in Ubuntu:
New
Bug description:
openssl 1.0.0e-2 fixes CVE-2011-1945, CVE-2011-3207 and CVE-2011-3210,
as well as includes blacklisting of DigiNotar certificates (to catch
some compromised subsidiary DigiNotar certificates that were cross-
signed by other CAs; thus the removal of the DigiNotar CA certificate
from ca-certificates won't block their usage).
The debian changes since 1.0.0d-2 are all bugfixes:
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_MULTIARCH)
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 17:02:29 +0200
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <geissert at debian.org>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <Klaus at Ethgen.de>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <khimov at altell.ru>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <aurel32 at debian.org>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 12:03:13 +0200
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
* Apply patches from Scott Schaefer <saschaefer at neurodiverse.org> to
fix various pod and spelling errors. (Closes: #622820, #605561)
* Add missing symbols for the engines (Closes: #623038)
* More spelling fixes from Scott Schaefer (Closes: #395424)
* Patch from Scott Schaefer to better document pkcs12 password options
(Closes: #462489)
* Document dgst -hmac option. Patch by Thorsten Glaser <tg at mirbsd.de>
(Closes: #529586)
-- Kurt Roeckx <kurt at roeckx.be> Mon, 13 Jun 2011 12:39:54 +0200
and the upstream release 1.0.0e is a bugfix-only release as well:
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+ *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+ by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ [Kaspar Brand <ossl at velox.ch>]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH. (CVE-2011-3210)
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+ signature public key algorithm by using OID xref utilities instead.
+ Before this you could only use some ECC ciphersuites with SHA1 only.
+ [Steve Henson]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://eprint.iacr.org/2011/232.pdf
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/850608/+subscriptions
More information about the foundations-bugs
mailing list