ubuntu/+source/openssl:ubuntu/oneiric-security

Last commit made on 2013-02-21
Get this branch:
git clone -b ubuntu/oneiric-security https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/oneiric-security
Repository:
lp:ubuntu/+source/openssl

Recent commits

a778190... by Marc Deslauriers on 2013-02-18

Import patches-unapplied version 1.0.0e-2ubuntu4.7 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 6c9ee61a5f1e66e3bc866ffae7ceb42279e639fb

New changelog entries:
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169

6c9ee61... by Steve Beattie on 2012-05-22

Import patches-unapplied version 1.0.0e-2ubuntu4.6 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 279bb807d9e793fb16e15dd8ad65bc2de19e89e9

New changelog entries:
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - CVE-2012-0884
  * debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
    errors in PKCS7_decrypt and initialize tkeylen properly when
    encrypting CMS messages.

279bb80... by Jamie Strandboge on 2012-04-24

Import patches-unapplied version 1.0.0e-2ubuntu4.5 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: a916b69e4d1f879932ab87acf5470a16024f8459

New changelog entries:
  * debian/patches/CVE-2012-2110b.patch: Use correct error code in
    BUF_MEM_grow_clean()

a916b69... by Jamie Strandboge on 2012-04-19

Import patches-unapplied version 1.0.0e-2ubuntu4.4 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 3fec1ddf939f490671bcd9c8f8d664cf5b64e84a

New changelog entries:
  * SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
    headers
    - debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp()
      and mime_param_cmp() to not dereference the compared strings if either
      is NULL
    - CVE-2006-7250
    - CVE-2012-1165
  * SECURITY UPDATE: fix various overflows
    - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
      crypto/buffer.c and crypto/mem.c to verify size of lengths
    - CVE-2012-2110

3fec1dd... by Steve Beattie on 2012-02-09

Import patches-unapplied version 1.0.0e-2ubuntu4.2 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: c8a539ee9908241d4ad4c3ffa99552deecb5f6e2

New changelog entries:
  * SECURITY UPDATE: DTLS plaintext recovery attack
    - debian/patches/CVE-2011-4108.patch: perform all computations
      before discarding messages
    - CVE-2011-4108
  * SECURITY UPDATE: SSL 3.0 block padding exposure
    - debian/patches/CVE-2011-4576.patch: clear bytes used for block
      padding of SSL 3.0 records.
    - CVE-2011-4576
  * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
    - debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779
      data from triggering an assertion failure
    - CVE-2011-4577
  * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
    - debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake
      restart for SSL/TLS.
    - CVE-2011-4619
  * SECURITY UPDATE: GOST block cipher denial of service
    - debian/patches/CVE-2012-0027.patch: check GOST parameters are
      not NULL
    - CVE-2012-0027
  * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
    - debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC
    - CVE-2012-0050

c8a539e... by Marc Deslauriers on 2011-10-04

Import patches-unapplied version 1.0.0e-2ubuntu4 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: a79ab0f819ac70b12dd0d8afcff0630c8ca45257

New changelog entries:
  * The previous change moved the notification to major upgrades only, but
    in fact, we do want the sysadmin to be notified when security updates
    are installed, without having services automatically restarted.
    (LP: #244250)

a79ab0f... by Anders Kaseorg on 2011-10-04

Import patches-unapplied version 1.0.0e-2ubuntu3 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: 6fa771d3f568bb62efa7f646268e018a9295db6a

New changelog entries:
  * Only issue a restart required notification on important upgrades, and
    not other actions such as reconfiguration or initial installation.
    (LP: #244250)

6fa771d... by Loïc Minier on 2011-09-27

Import patches-unapplied version 1.0.0e-2ubuntu2 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: f9621ec40f5083f72b5bacf303926a625ff21374

New changelog entries:
  * Unapply patch c_rehash-multi and comment it out in the series as it breaks
    parsing of certificates with CRLF line endings and other cases (see
    Debian #642314 for discussion), it also changes the semantics of c_rehash
    directories by requiring applications to parse hash link targets as files
    containing potentially *multiple* certificates rather than exactly one.
    LP: #855454.

f9621ec... by Steve Beattie on 2011-09-15

Import patches-unapplied version 1.0.0e-2ubuntu1 to ubuntu/oneiric

Imported using git-ubuntu import.

Changelog parent: 6862a2acd21bc2707b43339c7ae5cd9f34cc2826

New changelog entries:
  * Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and
    CVE-2011-3210 (LP: #850608). Remaining changes:
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification bubble on libssl1.0.0
        upgrade.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
      wpasupplicant.
    - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
      http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
      0.9.8 variant.
    - debian/patches/Bsymbolic-functions.patch: Link using
      -Bsymbolic-functions.
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
      .pc.
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i486, i586 (on
        i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
  * debian/libssl1.0.0.postinst: only display restart notification on
    servers (LP: #244250)

6862a2a... by Kurt Roeckx on 2011-09-10

Import patches-unapplied version 1.0.0e-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2ed4d285ebd0c4d6e16ba2b3628f12017bd81ae4

New changelog entries:
  * Add a missing $(DEB_HOST_MULTIARCH)