Branches for Utopic

Name Status Last Modified Last Commit
lp:ubuntu/utopic-proposed/openssl098 bug 2 Mature 2014-07-02 14:25:17 UTC
7. [ Louis Bouchard ] * Bring up to date...

Author: Marc Deslauriers
Revision Date: 2014-07-02 09:16:49 UTC

[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
  (LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
  - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
    when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
    ssl/ssl3.h.
  - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
    secrets in ssl/s3_pkt.c.
  - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
    ssl/s3_clnt.c.
  - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
    sending finished ssl/s3_clnt.c.
  - CVE-2014-0224
* SECURITY UPDATE: denial of service via DTLS recursion flaw
  - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
    recursion in ssl/d1_both.c.
  - CVE-2014-0221
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
  - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
    fragments in ssl/d1_both.c.
  - CVE-2014-0195
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: massive code changes
  - CVE-2013-0169
* SECURITY UPDATE: denial of service via invalid OCSP key
  - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
    crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
  - CVE-2013-0166
* SECURITY UPDATE: denial of service attack in DTLS implementation
  - debian/patches/CVE_2012-2333.patch: guard for integer overflow
    before skipping explicit IV
  - CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
  - debian/patches/CVE-2012-0884.patch: use a random key if RSA
    decryption fails to avoid leaking timing information
  - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    errors in PKCS7_decrypt and initialize tkeylen properly when
    encrypting CMS messages.
  - CVE-2012-0884

[ Marc Deslauriers ]
* debian/patches/rehash_pod.patch: updated to fix FTBFS.
* debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.

lp:ubuntu/utopic/openssl098 1 Development 2014-07-02 09:16:49 UTC
7. [ Louis Bouchard ] * Bring up to date...

Author: Marc Deslauriers
Revision Date: 2014-07-02 09:16:49 UTC

[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
  (LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
  - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
    when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
    ssl/ssl3.h.
  - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
    secrets in ssl/s3_pkt.c.
  - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
    ssl/s3_clnt.c.
  - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
    sending finished ssl/s3_clnt.c.
  - CVE-2014-0224
* SECURITY UPDATE: denial of service via DTLS recursion flaw
  - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
    recursion in ssl/d1_both.c.
  - CVE-2014-0221
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
  - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
    fragments in ssl/d1_both.c.
  - CVE-2014-0195
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: massive code changes
  - CVE-2013-0169
* SECURITY UPDATE: denial of service via invalid OCSP key
  - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
    crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
  - CVE-2013-0166
* SECURITY UPDATE: denial of service attack in DTLS implementation
  - debian/patches/CVE_2012-2333.patch: guard for integer overflow
    before skipping explicit IV
  - CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
  - debian/patches/CVE-2012-0884.patch: use a random key if RSA
    decryption fails to avoid leaking timing information
  - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    errors in PKCS7_decrypt and initialize tkeylen properly when
    encrypting CMS messages.
  - CVE-2012-0884

[ Marc Deslauriers ]
* debian/patches/rehash_pod.patch: updated to fix FTBFS.
* debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.

12 of 2 results