lp:ubuntu/utopic/openssl
- Get this branch:
- bzr branch lp:ubuntu/utopic/openssl
Branch merges
Branch information
- Owner:
- Ubuntu branches
- Status:
- Mature
Recent revisions
- 109. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via DTLS SRTP memory leak
- debian/patches/ CVE-2014- 3513.patch: fix logic in ssl/d1_srtp.c,
ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl,
util/ssleay. num.
- CVE-2014-3513
* SECURITY UPDATE: denial of service via session ticket integrity check
memory leak
- debian/patches/ CVE-2014- 3567.patch: perform cleanup in ssl/t1_lib.c.
- CVE-2014-3567
* SECURITY UPDATE: fix the no-ssl3 build option
- debian/patches/ CVE-2014- 3568.patch: fix conditional code in
ssl/s23_clnt.c, ssl/s23_srvr.c.
- CVE-2014-3568
* SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
protocol downgrade attack to SSLv3 that exposes the POODLE attack.
- debian/patches/ tls_fallback_ scsv_support. patch: added support for
TLS_FALLBACK_ SCSV in apps/s_client.c, crypto/ err/openssl. ec,
ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c,
ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h,
ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h,
doc/apps/s_ client. pod, doc/ssl/ SSL_CTX_ set_mode. pod. - 107. By Marc Deslauriers
-
* SECURITY UPDATE: double free when processing DTLS packets
- debian/patches/ CVE-2014- 3505.patch: fix double free in ssl/d1_both.c.
- CVE-2014-3505
* SECURITY UPDATE: DTLS memory exhaustion
- debian/patches/ CVE-2014- 3506.patch: fix DTLS handshake message size
checks in ssl/d1_both.c.
- CVE-2014-3506
* SECURITY UPDATE: DTLS memory leak from zero-length fragments
- debian/patches/ CVE-2014- 3507.patch: fix memory leak and return codes
in ssl/d1_both.c.
- CVE-2014-3507
* SECURITY UPDATE: information leak in pretty printing functions
- debian/patches/ CVE-2014- 3508.patch: fix OID handling in
crypto/asn1/a_ object. c, crypto/ objects/ obj_dat. c.
- CVE-2014-3508
* SECURITY UPDATE: race condition in ssl_parse_serverhello_ tlsext
- debian/patches/ CVE-2014- 3509.patch: fix race in ssl/t1_lib.c.
- CVE-2014-3509
* SECURITY UPDATE: DTLS anonymous EC(DH) denial of service
- debian/patches/ CVE-2014- 3510.patch: check for server certs in
ssl/d1_clnt.c, ssl/s3_clnt.c.
- CVE-2014-3510
* SECURITY UPDATE: TLS protocol downgrade attack
- debian/patches/ CVE-2014- 3511.patch: properly handle fragments in
ssl/s23_srvr.c.
- CVE-2014-3511
* SECURITY UPDATE: SRP buffer overrun
- debian/patches/ CVE-2014- 3512.patch: check parameters in
crypto/srp/srp_ lib.c.
- CVE-2014-3512
* SECURITY UPDATE: crash with SRP ciphersuite in Server Hello message
- debian/patches/ CVE-2014- 5139.patch: fix SRP authentication and make
sure ciphersuite is set up correctly in ssl/s3_clnt.c, ssl/ssl_lib.c,
ssl/s3_lib.c, ssl/ssl.h, ssl/ssl_ciph.c, ssl/ssl_locl.h.
- CVE-2014-5139 - 106. By Marc Deslauriers
-
* SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
- debian/patches/ CVE-2014- 0224-regression 2.patch: accept CCS after
sending finished ssl/s3_clnt.c. - 105. By Marc Deslauriers
-
* SECURITY UPDATE: regression with tls_session_
secret_ cb (LP: #1329297)
- debian/patches/ CVE-2014- 0224.patch: set the CCS_OK flag when using
tls_session_ secret_ cb for session resumption in ssl/s3_clnt.c. - 104. By Marc Deslauriers
-
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/ CVE-2014- 0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
* SECURITY UPDATE: denial of service via DTLS recursion flaw
- debian/patches/ CVE-2014- 0221.patch: handle DTLS hello request without
recursion in ssl/d1_both.c.
- CVE-2014-0221
* SECURITY UPDATE: MITM via change cipher spec
- debian/patches/ CVE-2014- 0224-1. patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/ CVE-2014- 0224-2. patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/ CVE-2014- 0224-3. patch: allow CCS after resumption in
ssl/s3_clnt.c.
- CVE-2014-0224
* SECURITY UPDATE: denial of service via ECDH null session cert
- debian/patches/ CVE-2014- 3470.patch: check session_cert is not NULL
before dereferencing it in ssl/s3_clnt.c.
- CVE-2014-3470 - 103. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via use after free
- debian/patches/ CVE-2010- 5298.patch: check s->s3->rbuf.left before
releasing buffers in ssl/s3_pkt.c.
- CVE-2010-5298
* SECURITY UPDATE: denial of service via null pointer dereference
- debian/patches/ CVE-2014- 0198.patch: if buffer was released, get a new
one in ssl/s3_pkt.c.
- CVE-2014-0198 - 102. By Marc Deslauriers
-
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/ CVE-2014- 0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_ mult.c,
util/libeay. num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/ CVE-2014- 0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160 - 101. By Marc Deslauriers
-
* Merge with Debian, remaining changes.
- debian/libssl1. 0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart- services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1. 0.0-udeb. dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1. 0.0-udeb. dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/ perlpath- quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ ubuntu_ deb676533_ arm_asm. patch: Enable arm assembly
code.
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* Dropped changes:
- debian/patches/ arm64-support: included in debian- targets. patch
- debian/patches/ no_default_ rdrand. patch: upstream
- debian/patches/ openssl- 1.0.1e- env-zlib. patch: zlib is now completely
disabled in debian/rules - 100. By Marc Deslauriers
-
debian/
patches/ no_default_ rdrand. patch: Don't use rdrand engine as
default unless explicitly requested.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/vivid/openssl