[Bug 1331452] Re: Please backport current CVEs for Precise LTS openssl098
Seth Arnold
1331452 at bugs.launchpad.net
Thu Jun 19 19:32:17 UTC 2014
Loius, thanks for taking another stab at this, but it still doesn't seem
right: cms_smime.c had 37 added lines in the upstream patch, but this
includes only three new added lines and no actual functional changes:
+Index: openssl098-0.9.8o/crypto/cms/cms_smime.c
+===================================================================
+--- openssl098-0.9.8o.orig/crypto/cms/cms_smime.c 2014-06-19 09:23:47.888194057 +0200
++++ openssl098-0.9.8o/crypto/cms/cms_smime.c 2014-06-19 09:27:53.552200347 +0200
+@@ -684,7 +684,10 @@
+ STACK_OF(CMS_RecipientInfo) *ris;
+ CMS_RecipientInfo *ri;
+ int i, r;
++ int debug = 0;
+ ris = CMS_get0_RecipientInfos(cms);
++ if (ris)
++ debug = cms->d.envelopedData->encryptedContentInfo->debug;
+ for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
+ {
+ ri = sk_CMS_RecipientInfo_value(ris, i);
diff -Nru openssl098-0.9.8o/debian/patches/CVE-2012-2333.patch openssl098-0.9.8o/debian/patches/CVE-2012-2333.patc
I think it's still missing some important changes.
Thanks
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2333
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1331452
Title:
Please backport current CVEs for Precise LTS openssl098
Status in “openssl” package in Ubuntu:
Invalid
Status in “openssl” source package in Precise:
In Progress
Bug description:
Please backport the CVS listed here to openssl098 :
http://people.canonical.com/~ubuntu-security/cve/pkg/openssl098.html
* CVE-2012-0884
* CVE-2012-2333
* CVE-2013-0166
* CVE-2013-0169
* CVE-2014-0195
* CVE-2014-0221
* CVE-2014-0224
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1331452/+subscriptions
More information about the foundations-bugs
mailing list