[ubuntu/karmic] openssl 0.9.8g-16ubuntu2 (Accepted)

Jamie Strandboge jamie at ubuntu.com
Fri Jul 10 21:40:13 BST 2009 

openssl (0.9.8g-16ubuntu2) karmic; urgency=low

  * Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by
    Marc Deslauriers)
  * SECURITY UPDATE: denial of service via memory consumption from large
    number of future epoch DTLS records.
    - crypto/pqueue.*: add new pqueue_size counter function.
    - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
    - http://cvs.openssl.org/chngview?cn=18187
    - CVE-2009-1377
  * SECURITY UPDATE: denial of service via memory consumption from
    duplicate or invalid sequence numbers in DTLS records.
    - ssl/d1_both.c: discard message if it's a duplicate or too far in the
      future.
    - http://marc.info/?l=openssl-dev&m=124263491424212&w=2
    - CVE-2009-1378
  * SECURITY UPDATE: denial of service or other impact via use-after-free
    in dtls1_retrieve_buffered_fragment.
    - ssl/d1_both.c: use temp frag_len instead of freed frag.
    - http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
    - CVE-2009-1379
  * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
    that occurs before ClientHello.
    - ssl/s3_pkt.c: abort if s->session is NULL.
    - ssl/{ssl.h,ssl_err.c}: add new error codes.
    - http://cvs.openssl.org/chngview?cn=17369
    - CVE-2009-1386
  * SECURITY UPDATE: denial of service via an out-of-sequence DTLS
    handshake message.
    - ssl/d1_both.c: don't buffer fragments with no data.
    - http://cvs.openssl.org/chngview?cn=17958
    - CVE-2009-1387

Date: Fri, 10 Jul 2009 14:44:47 -0500
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/karmic/+source/openssl/0.9.8g-16ubuntu2
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 Jul 2009 14:44:47 -0500
Source: openssl
Binary: openssl openssl-doc libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source
Version: 0.9.8g-16ubuntu2
Distribution: karmic
Urgency: low
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
 openssl-doc - Secure Socket Layer (SSL) documentation
Changes: 
 openssl (0.9.8g-16ubuntu2) karmic; urgency=low
 .
   * Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by
     Marc Deslauriers)
   * SECURITY UPDATE: denial of service via memory consumption from large
     number of future epoch DTLS records.
     - crypto/pqueue.*: add new pqueue_size counter function.
     - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
     - http://cvs.openssl.org/chngview?cn=18187
     - CVE-2009-1377
   * SECURITY UPDATE: denial of service via memory consumption from
     duplicate or invalid sequence numbers in DTLS records.
     - ssl/d1_both.c: discard message if it's a duplicate or too far in the
       future.
     - http://marc.info/?l=openssl-dev&m=124263491424212&w=2
     - CVE-2009-1378
   * SECURITY UPDATE: denial of service or other impact via use-after-free
     in dtls1_retrieve_buffered_fragment.
     - ssl/d1_both.c: use temp frag_len instead of freed frag.
     - http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
     - CVE-2009-1379
   * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
     that occurs before ClientHello.
     - ssl/s3_pkt.c: abort if s->session is NULL.
     - ssl/{ssl.h,ssl_err.c}: add new error codes.
     - http://cvs.openssl.org/chngview?cn=17369
     - CVE-2009-1386
   * SECURITY UPDATE: denial of service via an out-of-sequence DTLS
     handshake message.
     - ssl/d1_both.c: don't buffer fragments with no data.
     - http://cvs.openssl.org/chngview?cn=17958
     - CVE-2009-1387
Checksums-Sha1: 
 51fb52d658e21aa0f5526f03001179e7712b1fe9 1429 openssl_0.9.8g-16ubuntu2.dsc
 5b0b97f172fdcf300a2b3a7be0c70d8780548e63 61210 openssl_0.9.8g-16ubuntu2.diff.gz
Checksums-Sha256: 
 6971679e0920f3d366762b3632ce222247ba37a2e05819c2e95f6359bf8cbfa9 1429 openssl_0.9.8g-16ubuntu2.dsc
 6113e5b3425c9c84c89bdf9cdcb707b3ea777559617c3b2e0757cade13231b1d 61210 openssl_0.9.8g-16ubuntu2.diff.gz
Files: 
 bb42a86bbec3b4c2ed284e954cd5ac07 1429 utils optional openssl_0.9.8g-16ubuntu2.dsc
 fe04b5d35989d49e08b7890723e48847 61210 utils optional openssl_0.9.8g-16ubuntu2.diff.gz
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpXpasACgkQW0JvuRdL8Bqf6wCfbjl7uaORO4ysFE5/NiGGAXFr
gVMAn2jJ6zTV9QPKoq2+uo0QKarJME+I
=MB2l
-----END PGP SIGNATURE-----

More information about the Karmic-changes mailing list