[Bug 1331452] Re: Please backport current CVEs for Precise LTS openssl098

[Seth Arnold]

Thanks for taking on this update; I have a few questions:

The changelog references a patch that isn't included:

+    - debian/patches/fix_renegotiation.patch: add upstream commit to fix
+      renegotiation in ssl/s3_clnt.c, ssl/t1_lib.c.

Why was this patch dropped? It feels accidental, since it's still in the
changelog.

The modifications to the file crypto/cms/cms_smime.c appear to have been
dropped from debian/patches/CVE-2012-0884.patch. Was this intentional?

Thanks

** Changed in: openssl (Ubuntu Precise)
       Status: Confirmed => Incomplete

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0884

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1331452

Title:
  Please backport current CVEs for Precise LTS openssl098

Status in “openssl” package in Ubuntu:
  Invalid
Status in “openssl” source package in Precise:
  Incomplete

Bug description:
  Please backport the CVS listed here to openssl098 :

  http://people.canonical.com/~ubuntu-security/cve/pkg/openssl098.html

   * CVE-2012-0884
   * CVE-2012-2333
   * CVE-2013-0166
   * CVE-2013-0169
   * CVE-2014-0195
   * CVE-2014-0221
   * CVE-2014-0224

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1331452/+subscriptions