[ubuntu/utopic-proposed] openssl 1.0.1f-1ubuntu4 (Accepted)

Thu Jun 5 14:06:14 UTC 2014

openssl (1.0.1f-1ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via ECDH null session cert
    - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
      before dereferencing it in ssl/s3_clnt.c.
    - CVE-2014-3470

Date: Thu, 05 Jun 2014 08:39:17 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/utopic/+source/openssl/1.0.1f-1ubuntu4
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Jun 2014 08:39:17 -0400
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source
Version: 1.0.1f-1ubuntu4
Distribution: utopic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description: 
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 libssl1.0.0-udeb - ssl shared library - udeb (udeb)
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Changes: 
 openssl (1.0.1f-1ubuntu4) utopic; urgency=medium
 .
   * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
     - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
       fragments in ssl/d1_both.c.
     - CVE-2014-0195
   * SECURITY UPDATE: denial of service via DTLS recursion flaw
     - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
       recursion in ssl/d1_both.c.
     - CVE-2014-0221
   * SECURITY UPDATE: MITM via change cipher spec
     - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
       when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
       ssl/ssl3.h.
     - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
       secrets in ssl/s3_pkt.c.
     - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
       ssl/s3_clnt.c.
     - CVE-2014-0224
   * SECURITY UPDATE: denial of service via ECDH null session cert
     - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
       before dereferencing it in ssl/s3_clnt.c.
     - CVE-2014-3470
Checksums-Sha1: 
 17e12f3dc754310cb9534417cb84107b2d1230ea 2418 openssl_1.0.1f-1ubuntu4.dsc
 71f164232fdd66b7c7fd89ca3591581bc47d3333 97880 openssl_1.0.1f-1ubuntu4.debian.tar.xz
Checksums-Sha256: 
 93984582fe406334d3e6865164a090f332101929e33de347fd77b51cbc34c660 2418 openssl_1.0.1f-1ubuntu4.dsc
 bd75b685be5139ef1c5773f977cdeb247cc2d95e62a02ab778fa14e83baf8503 97880 openssl_1.0.1f-1ubuntu4.debian.tar.xz
Files: 
 6e158ceca56e12e93df55b09aa821242 2418 utils optional openssl_1.0.1f-1ubuntu4.dsc
 8e879e469968e95e31477cbf1eeb7161 97880 utils optional openssl_1.0.1f-1ubuntu4.debian.tar.xz
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTkGstAAoJEGVp2FWnRL6T53sQAINsvAUtWCPAhV7r65SK/H5T
Oq2pn4YOx3ZC3eNpT8eaLuILRrYw35hE6y9rfgeO69ZbmbG0JM4OfA4zbGGHv1cP
a/FzQd6NSj54NGn7QfoOQi1EU3SjrDS/KOSh+YzyKk5gz6vAzIA8C0CcE1r9iFa9
Uzu80vnLOS4jjDa00yxJNW09tKDixM6W52bL5Y4+uyM+nI/0RokAZ1C+23atG98g
PcxFWbe4E/eHG4zZFEbXGsoN0FoQ2jMAR17y4VAIXxyAWQSxyjojYr4lsA0B3+Gh
sPEYg0+9evcirKA0lPhEhSU+TxIxBVx9jY8lexsTf/0P1WGNm9TOoxsDW/PGJqu8
wVjA4h8BpllmAfjhHt8yEajDW5aqzhiVxRFCStGcn+5/JK8ktmUW4+L3HA9BcXfK
7Ybr3713e50bF8z/u77uJFIToVlis27s19BitSmlMAJwQIBZF8UzwkBigeJQCH6+
keDwy9uhLiyyJvLT8UGmciQPqMLsczJIE9jZkXF3DqvUL/dMxTcj7hnjiEDBmEvx
2fv9VCxFTOrBPmERKYGsr9A7MF44q1z1LhYnS8S1MAXOBSssh7gVUxOZgyQ0u/et
VOHOmpNaC0+TvTBO29mCZlUiL82mPoYG5OU2XQ6yAHD9acWmCKXvIS/hrOhe0uhh
qx+vH+h4FP2BWwaIZDS/
=jOWs
-----END PGP SIGNATURE-----