ubuntu/+source/openssl:ubuntu/wily-security

Last commit made on 2016-05-03
Get this branch:
git clone -b ubuntu/wily-security https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/wily-security
Repository:
lp:ubuntu/+source/openssl

Recent commits

bfd104f... by Marc Deslauriers on 2016-04-28

Import patches-unapplied version 1.0.2d-0ubuntu1.5 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: 13936c8cec843cb8e3f4b7a71c6083e788b23992

New changelog entries:
  * SECURITY UPDATE: EVP_EncodeUpdate overflow
    - debian/patches/CVE-2016-2105.patch: properly check lengths in
      crypto/evp/encode.c, add documentation to
      doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
    - CVE-2016-2105
  * SECURITY UPDATE: EVP_EncryptUpdate overflow
    - debian/patches/CVE-2016-2106.patch: fix overflow in
      crypto/evp/evp_enc.c.
    - CVE-2016-2106
  * SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
    - debian/patches/CVE-2016-2107.patch: check that there are enough
      padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c,
      crypto/evp/e_aes_cbc_hmac_sha256.c.
    - CVE-2016-2107
  * SECURITY UPDATE: Memory corruption in the ASN.1 encoder
    - debian/patches/CVE-2016-2108.patch: fix ASN1_INTEGER handling in
      crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
      crypto/asn1/tasn_enc.c.
    - CVE-2016-2108
  * SECURITY UPDATE: ASN.1 BIO excessive memory allocation
    - debian/patches/CVE-2016-2109.patch: properly handle large amounts of
      data in crypto/asn1/a_d2i_fp.c.
    - CVE-2016-2109
  * debian/patches/min_1024_dh_size.patch: change minimum DH size from 768
    to 1024.

13936c8... by Marc Deslauriers on 2016-02-29

Import patches-unapplied version 1.0.2d-0ubuntu1.4 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: c14b5920b8d82ce37e882dd365010eb0c4e728b6

New changelog entries:
  * SECURITY UPDATE: side channel attack on modular exponentiation
    - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
      crypto/bn/asm/rsaz-avx2.pl, crypto/bn/asm/rsaz-x86_64.pl,
      crypto/bn/asm/x86_64-mont.pl, crypto/bn/asm/x86_64-mont5.pl,
      crypto/bn/bn_exp.c.
    - CVE-2016-0702
  * SECURITY UPDATE: double-free in DSA code
    - debian/patches/CVE-2016-0705.patch: fix double-free in
      crypto/dsa/dsa_ameth.c.
    - CVE-2016-0705
  * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    - debian/patches/CVE-2016-0797.patch: prevent overflow in
      crypto/bn/bn_print.c, crypto/bn/bn.h.
    - CVE-2016-0797
  * SECURITY UPDATE: memory leak in SRP database lookups
    - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
      introduce new SRP_VBASE_get1_by_user function that handled seed
      properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
      util/libeay.num, openssl.ld.
    - CVE-2016-0798
  * SECURITY UPDATE: memory issues in BIO_*printf functions
    - debian/patches/CVE-2016-0799.patch: prevent overflow in
      crypto/bio/b_print.c.
    - CVE-2016-0799

c14b592... by Marc Deslauriers on 2016-01-25

Import patches-unapplied version 1.0.2d-0ubuntu1.3 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: 50c86e81a476a53eb63afc0ec942ac6faf833c01

New changelog entries:
  * SECURITY UPDATE: DH small subgroups issue
    - debian/patches/CVE-2016-0701.patch: add a test for small subgroup
      attacks in crypto/dh/dhtest.c, always generate DH keys for ephemeral
      DH cipher suites in doc/ssl/SSL_CTX_set_tmp_dh_callback.pod,
      ssl/s3_lib.c, ssl/s3_srvr.c, ssl/ssl.h, prevent small subgroup
      attacks on DH/DHE in crypto/dh/dh.h, crypto/dh/dh_check.c.
    - CVE-2016-0701

50c86e8... by Marc Deslauriers on 2015-12-04

Import patches-unapplied version 1.0.2d-0ubuntu1.2 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: c9808f930009c7640aebe9775853a9d0925f626e

New changelog entries:
  * SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64
    - debian/patches/CVE-2015-3193.patch: fix carry propagating bug in
      crypto/bn/asm/x86_64-mont5.pl, added test to crypto/bn/bntest.c.
    - CVE-2015-3193
  * SECURITY UPDATE: Certificate verify crash with missing PSS parameter
    - debian/patches/CVE-2015-3194.patch: add PSS parameter check to
      crypto/rsa/rsa_ameth.c.
    - CVE-2015-3194
  * SECURITY UPDATE: X509_ATTRIBUTE memory leak
    - debian/patches/CVE-2015-3195.patch: fix leak in
      crypto/asn1/tasn_dec.c.
    - CVE-2015-3195
  * SECURITY UPDATE: Anon DH ServerKeyExchange with 0 p parameter
    - debian/patches/CVE-2015-1794.patch: fix segfault with 0 p val and
      check for 0 modulus in crypto/bn/bn_mont.c, ssl/s3_clnt.c.
    - CVE-2015-1794

c9808f9... by Marc Deslauriers on 2015-07-09

Import patches-unapplied version 1.0.2d-0ubuntu1 to ubuntu/wily-proposed

Imported using git-ubuntu import.

Changelog parent: 8a68e19417f7cddb07447ca740adf3907584434e

New changelog entries:
  * SECURITY UPDATE: alternative chains certificate forgery
    - Updated to new upstream version
    - CVE-2015-1793

8a68e19... by Marc Deslauriers on 2015-06-15

Import patches-unapplied version 1.0.2c-1ubuntu1 to ubuntu/wily-proposed

Imported using git-ubuntu import.

Changelog parent: 4fffa3ea00956afca195c05393c8fa7e61a651d9

New changelog entries:
  * Merge with Debian, remaining changes.
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification on libssl1.0.0
        upgrade on servers.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
      wpasupplicant.
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
      .pc.
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i586 (on i386)
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
    - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
    - debian/rules: Enable optimized 64bit elliptic curve code contributed
      by Google.

4fffa3e... by Kurt Roeckx on 2015-06-12

Import patches-unapplied version 1.0.2c-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 3145a06d8459d711b6e88c62f37d4f3f431e55e0

New changelog entries:
  * New upstream version
    - Fixes ABI (Closes: #788511)

3145a06... by Kurt Roeckx on 2015-06-11

Import patches-unapplied version 1.0.2b-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 75375d6b21d1124f27e660e65de05ea266232487

New changelog entries:
  * New upstream version
    - Fix CVE-2015-4000
    - Fix CVE-2015-1788
    - Fix CVE-2015-1789
    - Fix CVE-2015-1790
    - Fix CVE-2015-1792
    - Fix CVE-2015-1791
  * Update c_rehash-compat.patch to make it apply to the new version.
  * Remove openssl-pod-misspell.patch applied upstream

75375d6... by Kurt Roeckx on 2015-04-30

Import patches-unapplied version 1.0.2a-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 43acc8a1b41c1468ff4f518043783a21cd9058eb

New changelog entries:
  * New upstrema version
    - Fix CVE-2015-0286
    - Fix CVE-2015-0287
    - Fix CVE-2015-0289
    - Fix CVE-2015-0293 (not affected, SSLv2 disabled)
    - Fix CVE-2015-0209
    - Fix CVE-2015-0288
    - Fix CVE-2015-0291
    - Fix CVE-2015-0290
    - Fix CVE-2015-0207
    - Fix CVE-2015-0208
    - Fix CVE-2015-1787
    - Fix CVE-2015-0285
  * Temporary enable SSLv3 methods again, but they will go away.
  * Don't set TERMIO anymore, use the default TERMIOS instead.

43acc8a... by Kurt Roeckx on 2015-01-23

Import patches-unapplied version 1.0.2-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 43365776f181ba1ecf99608da4e43562f19bb7e4

New changelog entries:
  * New upstream release
    - Fixes CVE-2014-3571
    - Fixes CVE-2015-0206
    - Fixes CVE-2014-3569
    - Fixes CVE-2014-3572
    - Fixes CVE-2015-0204
    - Fixes CVE-2015-0205
    - Fixes CVE-2014-8275
    - Fixes CVE-2014-3570
    - Drop git_snapshot.patch
  * Drop gnu_source.patch, dgst_hmac.patch, stddef.patch,
    no_ssl3_method.patch: applied upstream
  * Update patches to apply