ubuntu/+source/openssl:ubuntu/lucid-proposed

Last commit made on 2013-06-10
Get this branch:
git clone -b ubuntu/lucid-proposed https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/lucid-proposed
Repository:
lp:ubuntu/+source/openssl

Recent commits

ab30314... by Seth Arnold on 2013-06-04

Import patches-unapplied version 0.9.8k-7ubuntu8.15 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 589dca1defdb786453e9370c9c5cba678b68aaf5

New changelog entries:
  * SECURITY UPDATE: Disable compression to avoid CRIME systemwide
    (LP: #1187195)
    - CVE-2012-4929
    - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
      zlib to compress SSL/TLS unless the environment variable
      OPENSSL_DEFAULT_ZLIB is set in the environment during library
      initialization.
    - Introduced to assist with programs not yet updated to provide their own
      controls on compression, such as Postfix
    - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch

589dca1... by Marc Deslauriers on 2013-02-18

Import patches-unapplied version 0.9.8k-7ubuntu8.14 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 1df2feab1607aa830b767e35251bfd46530f98f9

New changelog entries:
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169

1df2fea... by Steve Beattie on 2012-05-22

Import patches-unapplied version 0.9.8k-7ubuntu8.13 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 853fd00a202311ccba4d35d978eabd43e6f69360

New changelog entries:
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - CVE-2012-0884
  * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    errors in PKCS7_decrypt and initialize tkeylen properly when
    encrypting CMS messages.

853fd00... by Jamie Strandboge on 2012-04-24

Import patches-unapplied version 0.9.8k-7ubuntu8.11 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 50732f2b1847eb7d5a5b74dcc7d93024b12011e8

New changelog entries:
  * SECURITY UPDATE: incomplete fix for CVE-2012-2110
    - debian/patches/CVE-2012-2131.patch: also verify 'len' in BUF_MEM_grow
      and BUF_MEM_grow_clean is non-negative
    - CVE-2012-2131
  * debian/patches/CVE-2012-2110b.patch: Use correct error code in
    BUF_MEM_grow_clean()

50732f2... by Jamie Strandboge on 2012-04-19

Import patches-unapplied version 0.9.8k-7ubuntu8.10 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: a99e9994eb7ff8501e3237f14193a95bb6fe4f4e

New changelog entries:
  * SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
    headers
    - debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp()
      and mime_param_cmp() to not dereference the compared strings if either
      is NULL
    - CVE-2006-7250
    - CVE-2012-1165
  * SECURITY UPDATE: fix various overflows
    - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
      crypto/buffer.c and crypto/mem.c to verify size of lengths
    - CVE-2012-2110

a99e999... by Steve Beattie on 2012-01-31

Import patches-unapplied version 0.9.8k-7ubuntu8.8 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: dec549d996a8f6def7272ddc4804b76cafa5f6be

New changelog entries:
  * SECURITY UPDATE: ECDSA private key timing attack
    - debian/patches/CVE-2011-1945.patch: compute with fixed scalar
      length
    - CVE-2011-1945
  * SECURITY UPDATE: ECDH ciphersuite denial of service
    - debian/patches/CVE-2011-3210.patch: fix memory usage for thread
      safety
    - CVE-2011-3210
  * SECURITY UPDATE: DTLS plaintext recovery attack
    - debian/patches/CVE-2011-4108.patch: perform all computations
      before discarding messages
    - CVE-2011-4108
  * SECURITY UPDATE: policy check double free vulnerability
    - debian/patches/CVE-2011-4019.patch: only free domain policyin
      one location
    - CVE-2011-4019
  * SECURITY UPDATE: SSL 3.0 block padding exposure
    - debian/patches/CVE-2011-4576.patch: clear bytes used for block
      padding of SSL 3.0 records.
    - CVE-2011-4576
  * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
    - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779
      data from triggering an assertion failure
    - CVE-2011-4577
  * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
    - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake
      restart for SSL/TLS.
    - CVE-2011-4619
  * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
    - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC
    - CVE-2012-0050
  * debian/patches/openssl-fix_ECDSA_tests.patch: fix ECDSA tests
  * debian/libssl0.9.8.postinst: Only issue the reboot notification for
    servers by testing that the X server is not running (LP: #244250)

dec549d... by Steve Beattie on 2011-02-10

Import patches-unapplied version 0.9.8k-7ubuntu8.6 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 67190f347a0a7478bb492370c17268df6ecba240

New changelog entries:
  * SECURITY UPDATE: OCSP stapling vulnerability
    - debian/patched/openssl-CVE-2011-0014-secadv_20110208.patch:
      stricter parsing of ClientHello message in ssl/t1_lib.c
    - CVE-2011-0014
  * Forward TLS version interop patch
    - debian/patches/openssl-forward-interop.patch
    - Handle TLS versions 2.0 and later properly and correctly use
      the highest version of TLS/SSL supported. Although TLS >=
      2.0 is some way off ancient servers have a habit of sticking
      around for a while...
      [Steve Henson]

67190f3... by Steve Beattie on 2010-12-03

Import patches-unapplied version 0.9.8k-7ubuntu8.5 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 5ba886e6309f8ad3e760b3c093e337c948bf25d8

New changelog entries:
  * SECURITY UPDATE: ciphersuite downgrade vulnerability
    - openssl-CVE-2010-4180-secadv_20101202-0.9.8.patch:
      disable workaround for Netscape cipher suite bug in ssl/s3_clnt.c
      and ssl/s3_srvr.c
    - CVE-2010-4180

5ba886e... by Steve Beattie on 2010-11-16

Import patches-unapplied version 0.9.8k-7ubuntu8.4 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 473a053e4dc2889ce8a38ead3d4c84a062ff64ec

New changelog entries:
  * SECURITY UPDATE: TLS race condition leading to a buffer overflow and
    possible code execution. (LP: #676243)
    - patches/debian/openssl-CVE-2010-3864-secadv_20101116-0.9.8.patch:
      stricter NULL/not-NULL checking in ssl/t1_lib.c
    - CVE-2010-3864

473a053... by Marc Deslauriers on 2010-10-06

Import patches-unapplied version 0.9.8k-7ubuntu8.3 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: e17ad687fb4f92cca87816e4c9c19e7b1f5529fd

New changelog entries:
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted private key with an invalid prime.
    - debian/patches/CVE-2010-2939.patch: set bn_ctx to NULL after freeing
      it in ssl/s3_clnt.c.
    - CVE-2010-2939