[Bug 850608] Re: Please merge openssl 1.0.0e-2 from debian
Steve Beattie
sbeattie at ubuntu.com
Thu Sep 15 05:20:34 UTC 2011
Merge request has been attached. I have tested the result of the merge
builds successfully with no changes in the results of the openssl build
time regression tests as well as the openssl tests in the lp:qa-
regression-testing branch.
** Changed in: openssl (Ubuntu)
Status: New => In Progress
** Changed in: openssl (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/850608
Title:
Please merge openssl 1.0.0e-2 from debian
Status in “openssl” package in Ubuntu:
In Progress
Bug description:
openssl 1.0.0e-2 fixes CVE-2011-1945, CVE-2011-3207 and CVE-2011-3210,
as well as includes blacklisting of DigiNotar certificates (to catch
some compromised subsidiary DigiNotar certificates that were cross-
signed by other CAs; thus the removal of the DigiNotar CA certificate
from ca-certificates won't block their usage).
The debian changes since 1.0.0d-2 are all bugfixes:
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_MULTIARCH)
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 17:02:29 +0200
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <geissert at debian.org>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <Klaus at Ethgen.de>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <khimov at altell.ru>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <aurel32 at debian.org>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 12:03:13 +0200
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
* Apply patches from Scott Schaefer <saschaefer at neurodiverse.org> to
fix various pod and spelling errors. (Closes: #622820, #605561)
* Add missing symbols for the engines (Closes: #623038)
* More spelling fixes from Scott Schaefer (Closes: #395424)
* Patch from Scott Schaefer to better document pkcs12 password options
(Closes: #462489)
* Document dgst -hmac option. Patch by Thorsten Glaser <tg at mirbsd.de>
(Closes: #529586)
-- Kurt Roeckx <kurt at roeckx.be> Mon, 13 Jun 2011 12:39:54 +0200
and the upstream release 1.0.0e is a bugfix-only release as well:
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+ *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+ by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ [Kaspar Brand <ossl at velox.ch>]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH. (CVE-2011-3210)
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+ signature public key algorithm by using OID xref utilities instead.
+ Before this you could only use some ECC ciphersuites with SHA1 only.
+ [Steve Henson]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://eprint.iacr.org/2011/232.pdf
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/850608/+subscriptions
More information about the Ubuntu-sponsors
mailing list