ubuntu/+source/openssl:ubuntu/natty-security

Last commit made on 2012-05-24
Get this branch:
git clone -b ubuntu/natty-security https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/natty-security
Repository:
lp:ubuntu/+source/openssl

Recent commits

a726569... by Steve Beattie on 2012-05-22

Import patches-unapplied version 0.9.8o-5ubuntu1.7 to ubuntu/natty-security

Imported using git-ubuntu import.

Changelog parent: a6a4ea585b2eb526be0341c0b3e2143343387bb4

New changelog entries:
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - CVE-2012-0884
  * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    errors in PKCS7_decrypt and initialize tkeylen properly when
    encrypting CMS messages.

a6a4ea5... by Jamie Strandboge on 2012-04-24

Import patches-unapplied version 0.9.8o-5ubuntu1.5 to ubuntu/natty-security

Imported using git-ubuntu import.

Changelog parent: 7b0a7c9f61a5c8c537a79708c0076ba5604a22c8

New changelog entries:
  * SECURITY UPDATE: incomplete fix for CVE-2012-2110
    - debian/patches/CVE-2012-2131.patch: also verify 'len' in BUF_MEM_grow
      and BUF_MEM_grow_clean is non-negative
    - CVE-2012-2131
  * debian/patches/CVE-2012-2110b.patch: Use correct error code in
    BUF_MEM_grow_clean()

7b0a7c9... by Jamie Strandboge on 2012-04-19

Import patches-unapplied version 0.9.8o-5ubuntu1.4 to ubuntu/natty-security

Imported using git-ubuntu import.

Changelog parent: 224711f42df65cf3a16c08ed305700477edfc3ec

New changelog entries:
  * SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
    headers
    - debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp()
      and mime_param_cmp() to not dereference the compared strings if either
      is NULL
    - CVE-2006-7250
    - CVE-2012-1165
  * SECURITY UPDATE: fix various overflows
    - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
      crypto/buffer.c and crypto/mem.c to verify size of lengths
    - CVE-2012-2110

224711f... by Steve Beattie on 2012-01-31

Import patches-unapplied version 0.9.8o-5ubuntu1.2 to ubuntu/natty-security

Imported using git-ubuntu import.

Changelog parent: fe88cf504bec7863b4f6bbe642ca3c67bf833efd

New changelog entries:
  * SECURITY UPDATE: ECDSA private key timing attack
    - debian/patches/CVE-2011-1945.patch: compute with fixed scalar
      length
    - CVE-2011-1945
  * SECURITY UPDATE: ECDH ciphersuite denial of service
    - debian/patches/CVE-2011-3210.patch: fix memory usage for thread
      safety
    - CVE-2011-3210
  * SECURITY UPDATE: DTLS plaintext recovery attack
    - debian/patches/CVE-2011-4108.patch: perform all computations
      before discarding messages
    - CVE-2011-4108
  * SECURITY UPDATE: policy check double free vulnerability
    - debian/patches/CVE-2011-4019.patch: only free domain policyin
      one location
    - CVE-2011-4019
  * SECURITY UPDATE: SSL 3.0 block padding exposure
    - debian/patches/CVE-2011-4576.patch: clear bytes used for block
      padding of SSL 3.0 records.
    - CVE-2011-4576
  * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
    - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779
      data from triggering an assertion failure
    - CVE-2011-4577
  * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
    - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake
      restart for SSL/TLS.
    - CVE-2011-4619
  * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
    - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC
    - CVE-2012-0050
  * debian/libssl0.9.8.postinst: Only issue the reboot notification for
    servers by testing that the X server is not running (LP: #244250)

fe88cf5... by Artur Rona on 2011-02-13

Import patches-unapplied version 0.9.8o-5ubuntu1 to ubuntu/natty

Imported using git-ubuntu import.

Changelog parent: 4e7e7fb1a7092197b6f3cd6e6cfeba04f92e1cdc

New changelog entries:
  * Merge from debian unstable. Remaining changes: (LP: #718205)
    - d/libssl0.9.8.postinst:
      + Display a system restart required notification bubble
        on libssl0.9.8 upgrade.
      + Use a different priority for libssl0.9.8/restart-services
        depending on whether a desktop, or server dist-upgrade
        is being performed.
    - d/{libssl0.9.8-udeb.dirs, control, rules}: Create
      libssl0.9.8-udeb, for the benefit of wget-udeb (no wget-udeb
      package in Debian).
    - d/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files,
      rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant.
    - d/{control, openssl-doc.docs, openssl.docs, openssl.dirs}:
      + Ship documentation in openssl-doc, suggested by the package.
       (Closes: #470594)
    - d/p/aesni.patch: Backport Intel AES-NI support from
      http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
    - d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions.
    - d/p/perlpath-quilt.patch: Don't change perl #! paths under .pc.
    - d/p/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS.
      The protocol is unsafe and extremely deprecated. (Closes: #589706)
    - d/rules:
      + Disable SSLv2 during compile. (Closes: #589706)
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
        (Closes: #465248)
      + Don't build for processors no longer supported: i486, i586
        (on i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
        (Closes: #611667)
      + Replace duplicate files in the doc directory with symlinks.
  * This upload fixed CVE: (LP: #718208)
    - CVE-2011-0014

4e7e7fb... by Kurt Roeckx on 2011-02-10

Import patches-unapplied version 0.9.8o-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: db8c99eeaaae75aeb7a5b3c6729460d115f7be23

New changelog entries:
  * Fix OCSP stapling parse error (CVE-2011-0014)

db8c99e... by Kurt Roeckx on 2010-12-06

Import patches-unapplied version 0.9.8o-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 00a968ee4b4704db41773f83c293cea29bcaf0d6

New changelog entries:
  * Fix CVE-2010-4180 (Closes: #529221)

00a968e... by Kurt Roeckx on 2010-11-16

Import patches-unapplied version 0.9.8o-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 658c05706efe34071dc993bc93cea4a03d80d300

New changelog entries:
  * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
  * Re-add the engines. They were missing since 0.9.8m-1.
    Patch by Joerg Schneider. (Closes: #603693)
  * Not all architectures were build using -g (Closes: #570702)
  * Add powerpcspe support (Closes: #579805)
  * Add armhf support (Closes: #596881)
  * Update translations:
    - Brazilian Portuguese (Closes: #592154)
    - Danish (Closes: #599459)
    - Vietnamese (Closes: #601536)
    - Arabic (Closes: #596166)
  * Generate the proper stamp file so that everything doesn't get build twice.

658c057... by Kurt Roeckx on 2010-08-26

Import patches-unapplied version 0.9.8o-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d632da659b723bd315f7aa135a673701bea4a326

New changelog entries:
  * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)

d632da6... by Kurt Roeckx on 2010-04-17

Import patches-unapplied version 0.9.8o-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f1b6e1fafd1f910c9780bd06a601288c76907e7b

New changelog entries:
  * New upstream version
    - Add SHA2 algorithms to SSL_library_init().
    - aes-x86_64.pl is now PIC, update pic.patch.
  * Add sparc64 support (Closes: #560240)