[ubuntu/precise-security] openssl 1.0.1-4ubuntu5.14 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Jun 5 12:05:17 UTC 2014


openssl (1.0.1-4ubuntu5.14) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via ECDH null session cert
    - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
      before dereferencing it in ssl/s3_clnt.c.
    - CVE-2014-3470

Date: 2014-06-02 19:24:12.935405+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/precise/+source/openssl/1.0.1-4ubuntu5.14
-------------- next part --------------
Sorry, changesfile not available.


More information about the Precise-changes mailing list