Created by Ubuntu Package Importer on 2014-07-02 and last modified on 2014-07-02
Get this branch:
bzr branch lp:ubuntu/saucy-security/openssl098
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

7. By Louis Bouchard on 2014-06-18

* SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
  - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
    sending finished ssl/s3_clnt.c.
* Bring up to date with latest security patches from Ubuntu 10.04:
  (LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
  - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
    when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
  - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
    secrets in ssl/s3_pkt.c.
  - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
  - CVE-2014-0224
* SECURITY UPDATE: denial of service via DTLS recursion flaw
  - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
    recursion in ssl/d1_both.c.
  - CVE-2014-0221
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
  - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
    fragments in ssl/d1_both.c.
  - CVE-2014-0195
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: massive code changes
  - CVE-2013-0169
* SECURITY UPDATE: denial of service via invalid OCSP key
  - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
    crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
  - CVE-2013-0166
* SECURITY UPDATE: denial of service attack in DTLS implementation
  - debian/patches/CVE_2012-2333.patch: guard for integer overflow
    before skipping explicit IV
  - CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
  - debian/patches/CVE-2012-0884.patch: use a random key if RSA
    decryption fails to avoid leaking timing information
  - CVE-2012-0884
* debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
  - errors in PKCS7_decrypt and initialize tkeylen properly when
    encrypting CMS messages.

6. By Jamie Strandboge on 2012-04-24

* Bring up to date with latest security patches from Ubuntu 11.04:
  * SECURITY UPDATE: ECDSA private key timing attack
  - debian/patches/CVE-2011-1945.patch: compute with fixed scalar
  - CVE-2011-1945
* SECURITY UPDATE: ECDH ciphersuite denial of service
  - debian/patches/CVE-2011-3210.patch: fix memory usage for thread
  - CVE-2011-3210
* SECURITY UPDATE: DTLS plaintext recovery attack
  - debian/patches/CVE-2011-4108.patch: perform all computations
    before discarding messages
  - CVE-2011-4108
* SECURITY UPDATE: policy check double free vulnerability
  - debian/patches/CVE-2011-4019.patch: only free domain policyin
    one location
  - CVE-2011-4019
* SECURITY UPDATE: SSL 3.0 block padding exposure
  - debian/patches/CVE-2011-4576.patch: clear bytes used for block
    padding of SSL 3.0 records.
  - CVE-2011-4576
* SECURITY UPDATE: malformed RFC 3779 data denial of service attack
  - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779
    data from triggering an assertion failure
  - CVE-2011-4577
* SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
  - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake
    restart for SSL/TLS.
  - CVE-2011-4619
* SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
  - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC
  - CVE-2012-0050
* SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
  - debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp()
    and mime_param_cmp() to not dereference the compared strings if either
    is NULL
  - CVE-2006-7250
  - CVE-2012-1165
* SECURITY UPDATE: fix various overflows
  - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
    crypto/buffer.c and crypto/mem.c to verify size of lengths
  - CVE-2012-2110
* SECURITY UPDATE: incomplete fix for CVE-2012-2110
  - debian/patches/CVE-2012-2131.patch: also verify 'len' in BUF_MEM_grow
    and BUF_MEM_grow_clean is non-negative
  - CVE-2012-2131
* debian/patches/CVE-2012-2110b.patch: Use correct error code in

5. By Evan Broder on 2011-12-10

Convert to multiarch.

4. By Colin Watson on 2011-09-05

* Add openssl098 compatibility package from Debian, reapplying the
  corresponding Ubuntu changes to openssl:
  - debian/libssl0.9.8.postinst: Use a different priority for
    libssl0.9.8/restart-services depending on whether a desktop or server
    dist-upgrade is being performed.
  - debian/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files,
    rules}: Move runtime libraries to /lib, for the benefit of
  - debian/patches/aesni.patch: Backport Intel AES-NI support from
  - debian/patches/Bsymbolic-functions.patch: Link using
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
  - debian/patches/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS.
    The protocol is unsafe and extremely deprecated. (Closes: #589706)
  - debian/rules:
    + Disable SSLv2 during compile. (Closes: #589706)
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
      (Closes: #465248)
    + Don't build for processors no longer supported: i486, i586 (on
      i386), v8 (on sparc).
    + Fix Makefile to properly clean up libs/ dirs in clean target.
      (Closes: #611667)
* Dropped changes no longer required in this compatibility package:
  - Display a system-restart-required notification on libssl0.9.8 upgrade.
    (libssl1.0.0 will take care of this from now on.)
  - Create libssl0.9.8-udeb.
  - Move documentation to openssl-doc.
  - Replace duplicate files in the doc directory with symlinks.

3. By Kurt Roeckx on 2011-04-06

Re-add libcrypto0.9.8-udeb for easier transition.

2. By Kurt Roeckx on 2011-03-23

Upload as transitional openssl098 source package, just keeping
the library.

1. By Kurt Roeckx on 2011-03-23

Import upstream version 0.9.8o

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.