[ubuntu/utopic-proposed] openssl098 0.9.8o-7ubuntu4 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Wed Jul 2 14:09:16 UTC 2014 

openssl098 (0.9.8o-7ubuntu4) utopic; urgency=medium

  [ Louis Bouchard ]
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
      errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
    - CVE-2012-0884

  [ Marc Deslauriers ]
  * debian/patches/rehash_pod.patch: updated to fix FTBFS.
  * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.

Date: Wed, 02 Jul 2014 09:16:49 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/utopic/+source/openssl098/0.9.8o-7ubuntu4
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 02 Jul 2014 09:16:49 -0400
Source: openssl098
Binary: libssl0.9.8 libssl0.9.8-dbg libcrypto0.9.8-udeb
Architecture: source
Version: 0.9.8o-7ubuntu4
Distribution: utopic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
Launchpad-Bugs-Fixed: 1331452
Changes:
 openssl098 (0.9.8o-7ubuntu4) utopic; urgency=medium
 .
   [ Louis Bouchard ]
   * Bring up to date with latest security patches from Ubuntu 10.04:
     (LP: #1331452)
   * SECURITY UPDATE: MITM via change cipher spec
     - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
       when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
       ssl/ssl3.h.
     - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
       secrets in ssl/s3_pkt.c.
     - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
       ssl/s3_clnt.c.
     - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
       sending finished ssl/s3_clnt.c.
     - CVE-2014-0224
   * SECURITY UPDATE: denial of service via DTLS recursion flaw
     - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
       recursion in ssl/d1_both.c.
     - CVE-2014-0221
   * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
     - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
       fragments in ssl/d1_both.c.
     - CVE-2014-0195
   * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
     - debian/patches/CVE-2013-0169.patch: massive code changes
     - CVE-2013-0169
   * SECURITY UPDATE: denial of service via invalid OCSP key
     - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
       crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
     - CVE-2013-0166
   * SECURITY UPDATE: denial of service attack in DTLS implementation
     - debian/patches/CVE_2012-2333.patch: guard for integer overflow
       before skipping explicit IV
     - CVE-2012-2333
   * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
     - debian/patches/CVE-2012-0884.patch: use a random key if RSA
       decryption fails to avoid leaking timing information
     - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
       errors in PKCS7_decrypt and initialize tkeylen properly when
       encrypting CMS messages.
     - CVE-2012-0884
 .
   [ Marc Deslauriers ]
   * debian/patches/rehash_pod.patch: updated to fix FTBFS.
   * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.
Checksums-Sha1:
 f321f909430a72c3f35060abfb28dab86b9d1273 2215 openssl098_0.9.8o-7ubuntu4.dsc
 dda1a83345d7a91c87117e8218486ebd40ce783b 105624 openssl098_0.9.8o-7ubuntu4.debian.tar.xz
Checksums-Sha256:
 28a7d9d6e7310c4717d5e1276c7431a83f87de970ace3d8a7137b490ad972f82 2215 openssl098_0.9.8o-7ubuntu4.dsc
 10922d80e091e9fe19ba15b5dbf49fd4f9df950a59322c65d287cea6dbc2ab90 105624 openssl098_0.9.8o-7ubuntu4.debian.tar.xz
Files:
 475561d5179bcd5b40ea3f75d25811c4 2215 utils optional openssl098_0.9.8o-7ubuntu4.dsc
 2308ee0fbba6d743ed6cf4fcf55a2363 105624 utils optional openssl098_0.9.8o-7ubuntu4.debian.tar.xz
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTtBIqAAoJEGVp2FWnRL6TI5UQAK18ZEnMZm/UM1D8EacG6kI7
GAllM356YdE5ZEqRzyH9VcK7UUW5gLWjhSybkFDjqvhSKndC/X0udsrEnH0lAn0K
C7tXe7qDmVg8tt975ituhSgL123hOdhCUPKkPTiE4LtyzdTqTaKLJApIDfuxST2j
6cGYEG64W7IllA7Luv+DMy6XZsvDi7PWDioY49mjoe+j9UVUmaqwOYfwGraAMaJ1
vu4eBrQDcfSPW6zKzXECwrXI9gG+1N6Fic24vuPL0LlVNX1nJzw+dlNVx1u/vqK+
PSlW9gdWZpgYEwEqp111aFyFNu2nLjFS9tM4aXoxAfymj2HqZFDYRkoM6TxY5zMb
q3iJa2ToSfNPgO8CAmYQqKMKfE10DoeUsvRHYTBGBZ3AM0RRzJ/2nNimf1IzaptI
XQzntotsM4r5yrdg63usjbl2u7CSUHTrQp6rT2lC/x66XQymMOgmBRHrp7KPuKcM
E7JQk3kLjIU8zuP6Hik6smgf0Z/W8ZijEBVa6tpj0wo+nQWcty0cLfP8GZiFpOev
BhI4LFJVwHw30CgIyJAbqlc9kq2qF0tBwiTMrMgRWdxFDceEKGhlwJ4tPNDP5sNF
dxCiNYGYo8VT4w1T6Jogmjdmxevw7Bf4RquiM3AvV51zYVXG5PAwgyE2ko3Kuk4j
mK7VtFCsOUPJc3FuxVQF
=FQtd
-----END PGP SIGNATURE-----

More information about the Utopic-changes mailing list