Last commit made on 2014-10-16
Get this branch:
git clone -b ubuntu/utopic-proposed https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

f2e3200... by Marc Deslauriers on 2014-10-16

Import patches-unapplied version 1.0.1f-1ubuntu9 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: 74f6bcfd48ec8fdbf94511d66d64302f0c4214f4

New changelog entries:
  * SECURITY UPDATE: denial of service via DTLS SRTP memory leak
    - debian/patches/CVE-2014-3513.patch: fix logic in ssl/d1_srtp.c,
      ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl,
    - CVE-2014-3513
  * SECURITY UPDATE: denial of service via session ticket integrity check
    memory leak
    - debian/patches/CVE-2014-3567.patch: perform cleanup in ssl/t1_lib.c.
    - CVE-2014-3567
  * SECURITY UPDATE: fix the no-ssl3 build option
    - debian/patches/CVE-2014-3568.patch: fix conditional code in
      ssl/s23_clnt.c, ssl/s23_srvr.c.
    - CVE-2014-3568
  * SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
    protocol downgrade attack to SSLv3 that exposes the POODLE attack.
    - debian/patches/tls_fallback_scsv_support.patch: added support for
      TLS_FALLBACK_SCSV in apps/s_client.c, crypto/err/openssl.ec,
      ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c,
      ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h,
      ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h,
      doc/apps/s_client.pod, doc/ssl/SSL_CTX_set_mode.pod.

74f6bcf... by Colin Watson on 2014-09-26

Import patches-unapplied version 1.0.1f-1ubuntu8 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: cfe8f2dc8b404d1a100e02a710fafb75898b0a56

New changelog entries:
  * Backport collected POWER8 optimisations from upstream (LP: #1290579).

cfe8f2d... by Marc Deslauriers on 2014-08-07

Import patches-unapplied version 1.0.1f-1ubuntu7 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: a877b41f93ebb408863230a7e84281df5b67a277

New changelog entries:
  * SECURITY UPDATE: double free when processing DTLS packets
    - debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c.
    - CVE-2014-3505
  * SECURITY UPDATE: DTLS memory exhaustion
    - debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size
      checks in ssl/d1_both.c.
    - CVE-2014-3506
  * SECURITY UPDATE: DTLS memory leak from zero-length fragments
    - debian/patches/CVE-2014-3507.patch: fix memory leak and return codes
      in ssl/d1_both.c.
    - CVE-2014-3507
  * SECURITY UPDATE: information leak in pretty printing functions
    - debian/patches/CVE-2014-3508.patch: fix OID handling in
      crypto/asn1/a_object.c, crypto/objects/obj_dat.c.
    - CVE-2014-3508
  * SECURITY UPDATE: race condition in ssl_parse_serverhello_tlsext
    - debian/patches/CVE-2014-3509.patch: fix race in ssl/t1_lib.c.
    - CVE-2014-3509
  * SECURITY UPDATE: DTLS anonymous EC(DH) denial of service
    - debian/patches/CVE-2014-3510.patch: check for server certs in
      ssl/d1_clnt.c, ssl/s3_clnt.c.
    - CVE-2014-3510
  * SECURITY UPDATE: TLS protocol downgrade attack
    - debian/patches/CVE-2014-3511.patch: properly handle fragments in
    - CVE-2014-3511
  * SECURITY UPDATE: SRP buffer overrun
    - debian/patches/CVE-2014-3512.patch: check parameters in
    - CVE-2014-3512
  * SECURITY UPDATE: crash with SRP ciphersuite in Server Hello message
    - debian/patches/CVE-2014-5139.patch: fix SRP authentication and make
      sure ciphersuite is set up correctly in ssl/s3_clnt.c, ssl/ssl_lib.c,
      ssl/s3_lib.c, ssl/ssl.h, ssl/ssl_ciph.c, ssl/ssl_locl.h.
    - CVE-2014-5139

a877b41... by Marc Deslauriers on 2014-06-20

Import patches-unapplied version 1.0.1f-1ubuntu6 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: a2df3a735ff5fca3f554c576ace13477b05c1d3a

New changelog entries:
  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.

a2df3a7... by Marc Deslauriers on 2014-06-12

Import patches-unapplied version 1.0.1f-1ubuntu5 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: 4dcce801c356f2dd6c6250fc35c72456b1cd01e6

New changelog entries:
  * SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297)
    - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
      tls_session_secret_cb for session resumption in ssl/s3_clnt.c.

4dcce80... by Marc Deslauriers on 2014-06-05

Import patches-unapplied version 1.0.1f-1ubuntu4 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: 820d59e08a5cdce3c92833ff685c0a531ebc440f

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via ECDH null session cert
    - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
      before dereferencing it in ssl/s3_clnt.c.
    - CVE-2014-3470

820d59e... by Marc Deslauriers on 2014-05-02

Import patches-unapplied version 1.0.1f-1ubuntu3 to ubuntu/utopic-proposed

Imported using git-ubuntu import.

Changelog parent: 283c453c64c250360030c39da85920cb08c564fc

New changelog entries:
  * SECURITY UPDATE: denial of service via use after free
    - debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before
      releasing buffers in ssl/s3_pkt.c.
    - CVE-2010-5298
  * SECURITY UPDATE: denial of service via null pointer dereference
    - debian/patches/CVE-2014-0198.patch: if buffer was released, get a new
      one in ssl/s3_pkt.c.
    - CVE-2014-0198

283c453... by Marc Deslauriers on 2014-04-07

Import patches-unapplied version 1.0.1f-1ubuntu2 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: b5290b4ebcd2529a215bdd09fca79743de17b591

New changelog entries:
  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

b5290b4... by Marc Deslauriers on 2014-01-08

Import patches-unapplied version 1.0.1f-1ubuntu1 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: 9b44e0604274f4ad4f41925d06399b323a828dd1

New changelog entries:
  * Merge with Debian, remaining changes.
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification on libssl1.0.0
        upgrade on servers.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i586 (on i386)
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
    - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
    - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    - debian/rules: Enable optimized 64bit elliptic curve code contributed
      by Google.
  * Dropped changes:
    - debian/patches/arm64-support: included in debian-targets.patch
    - debian/patches/no_default_rdrand.patch: upstream
    - debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely
      disabled in debian/rules

9b44e06... by Kurt Roeckx on 2014-01-06

Import patches-unapplied version 1.0.1f-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ee8afb2435bbea4f6f2ed8e84d1269a6976f0a74

New changelog entries:
  * New upstream version
    - Fix for TLS record tampering bug CVE-2013-4353
    - Drop the snapshot patch
  * update watch file to check for upstream signature and add upstream pgp key.
  * Drop conflicts against openssh since we now on a released version again.