[ubuntu/vivid-proposed] openssl 1.0.1f-1ubuntu10 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Fri Jan 9 17:47:15 UTC 2015 

openssl (1.0.1f-1ubuntu10) vivid; urgency=medium

  * SECURITY UPDATE: denial of service via unexpected handshake when
    no-ssl3 build option is used (not the default)
    - debian/patches/CVE-2014-3569.patch: keep the old method for now in
      ssl/s23_srvr.c.
    - CVE-2014-3569
  * SECURITY UPDATE: bignum squaring may produce incorrect results
    - debian/patches/CVE-2014-3570.patch: fix bignum logic in
      crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c,
      crypto/bn/bn_asm.c, removed crypto/bn/asm/mips3.s, added test to
      crypto/bn/bntest.c.
    - CVE-2014-3570
  * SECURITY UPDATE: DTLS segmentation fault in dtls1_get_record
    - debian/patches/CVE-2014-3571-1.patch: fix crash in ssl/d1_pkt.c,
      ssl/s3_pkt.c.
    - debian/patches/CVE-2014-3571-2.patch: make code more obvious in
      ssl/d1_pkt.c.
    - CVE-2014-3571
  * SECURITY UPDATE: ECDHE silently downgrades to ECDH [Client]
    - debian/patches/CVE-2014-3572.patch: don't skip server key exchange in
      ssl/s3_clnt.c.
    - CVE-2014-3572
  * SECURITY UPDATE: certificate fingerprints can be modified
    - debian/patches/CVE-2014-8275.patch: fix various fingerprint issues in
      crypto/asn1/a_bitstr.c, crypto/asn1/a_type.c, crypto/asn1/a_verify.c,
      crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/x_algor.c,
      crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, crypto/x509/x509.h,
      crypto/x509/x_all.c.
    - CVE-2014-8275
  * SECURITY UPDATE: RSA silently downgrades to EXPORT_RSA [Client]
    - debian/patches/CVE-2015-0204.patch: only allow ephemeral RSA keys in
      export ciphersuites in ssl/d1_srvr.c, ssl/s3_clnt.c, ssl/s3_srvr.c,
      ssl/ssl.h, adjust documentation in doc/ssl/SSL_CTX_set_options.pod,
      doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.
    - CVE-2015-0204
  * SECURITY UPDATE: DH client certificates accepted without verification
    - debian/patches/CVE-2015-0205.patch: prevent use of DH client
      certificates without sending certificate verify message in
      ssl/s3_srvr.c.
    - CVE-2015-0205
  * SECURITY UPDATE: DTLS memory leak in dtls1_buffer_record
    - debian/patches/CVE-2015-0206.patch: properly handle failures in
      ssl/d1_pkt.c.
    - CVE-2015-0206

Date: Fri, 09 Jan 2015 08:04:57 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu10
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Jan 2015 08:04:57 -0500
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source
Version: 1.0.1f-1ubuntu10
Distribution: vivid
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 libssl1.0.0-udeb - ssl shared library - udeb (udeb)
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Changes:
 openssl (1.0.1f-1ubuntu10) vivid; urgency=medium
 .
   * SECURITY UPDATE: denial of service via unexpected handshake when
     no-ssl3 build option is used (not the default)
     - debian/patches/CVE-2014-3569.patch: keep the old method for now in
       ssl/s23_srvr.c.
     - CVE-2014-3569
   * SECURITY UPDATE: bignum squaring may produce incorrect results
     - debian/patches/CVE-2014-3570.patch: fix bignum logic in
       crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c,
       crypto/bn/bn_asm.c, removed crypto/bn/asm/mips3.s, added test to
       crypto/bn/bntest.c.
     - CVE-2014-3570
   * SECURITY UPDATE: DTLS segmentation fault in dtls1_get_record
     - debian/patches/CVE-2014-3571-1.patch: fix crash in ssl/d1_pkt.c,
       ssl/s3_pkt.c.
     - debian/patches/CVE-2014-3571-2.patch: make code more obvious in
       ssl/d1_pkt.c.
     - CVE-2014-3571
   * SECURITY UPDATE: ECDHE silently downgrades to ECDH [Client]
     - debian/patches/CVE-2014-3572.patch: don't skip server key exchange in
       ssl/s3_clnt.c.
     - CVE-2014-3572
   * SECURITY UPDATE: certificate fingerprints can be modified
     - debian/patches/CVE-2014-8275.patch: fix various fingerprint issues in
       crypto/asn1/a_bitstr.c, crypto/asn1/a_type.c, crypto/asn1/a_verify.c,
       crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/x_algor.c,
       crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, crypto/x509/x509.h,
       crypto/x509/x_all.c.
     - CVE-2014-8275
   * SECURITY UPDATE: RSA silently downgrades to EXPORT_RSA [Client]
     - debian/patches/CVE-2015-0204.patch: only allow ephemeral RSA keys in
       export ciphersuites in ssl/d1_srvr.c, ssl/s3_clnt.c, ssl/s3_srvr.c,
       ssl/ssl.h, adjust documentation in doc/ssl/SSL_CTX_set_options.pod,
       doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.
     - CVE-2015-0204
   * SECURITY UPDATE: DH client certificates accepted without verification
     - debian/patches/CVE-2015-0205.patch: prevent use of DH client
       certificates without sending certificate verify message in
       ssl/s3_srvr.c.
     - CVE-2015-0205
   * SECURITY UPDATE: DTLS memory leak in dtls1_buffer_record
     - debian/patches/CVE-2015-0206.patch: properly handle failures in
       ssl/d1_pkt.c.
     - CVE-2015-0206
Checksums-Sha1:
 bd4ce8d3b500285f93e2ee28140a8463e175d665 2421 openssl_1.0.1f-1ubuntu10.dsc
 3ac7acb4ef23671c0e396d2f68a8dc0615b6357f 153868 openssl_1.0.1f-1ubuntu10.debian.tar.xz
Checksums-Sha256:
 d6f7548331108b7f504dcf47b2f162bab33ec09d9de4d4325d58a1a2f49d032b 2421 openssl_1.0.1f-1ubuntu10.dsc
 154e6aa383dbeef7062aa6591c7eda4eea6100a5403ff7d3ae01e5f57c3d9adc 153868 openssl_1.0.1f-1ubuntu10.debian.tar.xz
Files:
 cb47c1e12cccd3220f1e6677250ca2a9 2421 utils optional openssl_1.0.1f-1ubuntu10.dsc
 58de7586788c1e0a1b7e6d4834f13d9b 153868 utils optional openssl_1.0.1f-1ubuntu10.debian.tar.xz
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUsBDuAAoJEGVp2FWnRL6TsTcQAIiccD6q5V47n6IoD3zpGPBc
oUkTHEiLTkKucezUb2OzNo1Ekanpks3PLM9kGRfGGNFPG6IT0N4JOD4j98EqkFEt
jLYiSQrGId3eL1k0WOM4BgU1caJHQgPFroLkKWt0Suo6YbEo2FEEJXMTNWy+R4Me
/7UpmeRETB9oK2eQ9Je40GtkinQjFQIk9vsfoMfDQSzfxUH8oEf6XHjZKz9fEhfA
yRGfbSDheTXchZ7SuEeB85qeOxjKgKpY7HzSmYjJmIKbCgAXzvml7EJPTRCamU2C
H+uLFijgGRY1wSwGQz7+y8pgmdG6b0Dff4VGI6nrZ8dW1HhmpzOHTwUYkW7GzAc1
oYNt31ak46unR4ezapiB1qVHZiJWi8lW3rejGp+p3jE6qqEpkbx7DxBVi4RfRTDh
K5ZJq9Bj4tIJ2NN2MOdhtQNyJ5h62QK7fXbggdortZkbhMMaXraDKD3C7qc7clQV
enUzDo2DXEHWHSgjFBs/1reFHfcDXhTELxh9X8EhbZR1xR3iBwrZzwL9V9+0hQZx
Mv5+3GWpfpSXNM0R3WJFp6WGPqqeRYIVrzv1b/YnIkjvj1duf+RVq/D5LKg2IUxK
BhmOwLmK2Ymj6/rv7R1yk1sDwsY9h1mgm7pYsdnjiBbIUIhxGvptAfXxtyZBcCIh
cIxv72uRo5ldvE/He26k
=ejcA
-----END PGP SIGNATURE-----

More information about the Vivid-changes mailing list