~ubuntu-branches/ubuntu/saucy/openssl/saucy-updates : changes

~ubuntu-branches/ubuntu/saucy/openssl/saucy-updates » Changes from revision 102

From Revision 102 to 83

Rev	Summary	Authors	Tags	Date
102	* SECURITY UPDATE: regression with certain renegotiations (L... * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643) - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after sending finished ssl/s3_clnt.c.	Marc Deslauriers	1.0.1e-3ubuntu1.6	9 years ago
101	* SECURITY UPDATE: regression with tls_session_secret_cb (LP... * SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297) - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using tls_session_secret_cb for session resumption in ssl/s3_clnt.c.	Marc Deslauriers	1.0.1e-3ubuntu1.5	9 years ago
100	* SECURITY UPDATE: arbitrary code execution via DTLS invalid... * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS fragments in ssl/d1_both.c. - CVE-2014-0195 * SECURITY UPDATE: denial of service via DTLS recursion flaw - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without recursion in ssl/d1_both.c. - CVE-2014-0221 * SECURITY UPDATE: MITM via change cipher spec - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, ssl/ssl3.h. - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master secrets in ssl/s3_pkt.c. - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in ssl/s3_clnt.c. - CVE-2014-0224 * SECURITY UPDATE: denial of service via ECDH null session cert - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL before dereferencing it in ssl/s3_clnt.c. - CVE-2014-3470	Marc Deslauriers	1.0.1e-3ubuntu1.4	9 years ago
99	* SECURITY UPDATE: denial of service via use after free * SECURITY UPDATE: denial of service via use after free - debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before releasing buffers in ssl/s3_pkt.c. - CVE-2010-5298 * SECURITY UPDATE: denial of service via null pointer dereference - debian/patches/CVE-2014-0198.patch: if buffer was released, get a new one in ssl/s3_pkt.c. - CVE-2014-0198	Marc Deslauriers	1.0.1e-3ubuntu1.3	9 years ago
98	* SECURITY UPDATE: side-channel attack on Montgomery ladder ... * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation - debian/patches/CVE-2014-0076.patch: add and use constant time swap in crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c, util/libeay.num. - CVE-2014-0076 * SECURITY UPDATE: memory disclosure in TLS heartbeat extension - debian/patches/CVE-2014-0160.patch: use correct lengths in ssl/d1_both.c, ssl/t1_lib.c. - CVE-2014-0160	Marc Deslauriers	1.0.1e-3ubuntu1.2	10 years ago
97	* SECURITY UPDATE: denial of service via invalid TLS handsha... * SECURITY UPDATE: denial of service via invalid TLS handshake - debian/patches/CVE-2013-4353.patch: handle no new cipher setup in ssl/s3_both.c. - CVE-2013-4353 * SECURITY UPDATE: denial of service via incorrect data structure - debian/patches/CVE-2013-6449.patch: check for handshake digests in ssl/s3_both.c,ssl/s3_pkt.c,ssl/t1_enc.c, use proper version in ssl/s3_lib.c. - CVE-2013-6449 * SECURITY UPDATE: denial of service via DTLS retransmission - debian/patches/CVE-2013-6450.patch: fix DTLS retransmission in crypto/evp/digest.c,ssl/d1_both.c,ssl/s3_pkt.c,ssl/s3_srvr.c, ssl/ssl_locl.h,ssl/t1_enc.c. - CVE-2013-6450 * debian/patches/no_default_rdrand.patch: Don't use rdrand engine as default unless explicitly requested.	Marc Deslauriers	1.0.1e-3ubuntu1.1	10 years ago
96	* Merge with Debian, remaining changes. * Merge with Debian, remaining changes. - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially multiple certificates rather than exactly one. - debian/patches/tls12_workarounds.patch: Workaround large client hello issues when TLS 1.1 and lower is in use - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly code. - debian/patches/arm64-support: Add basic arm64 support (no assembler) - debian/rules: Enable optimized 64bit elliptic curve code contributed by Google. * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2 in test suite since we disable it in the client. * Disable compression to avoid CRIME systemwide (CVE-2012-4929). * Dropped changes: - debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian.	Matthias Klose	1.0.1e-3ubuntu1	10 years ago
95	* SECURITY UPDATE: Disable compression to avoid CRIME system... * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch	Seth Arnold	1.0.1e-2ubuntu1.1	10 years ago
94	* Resynchronise with Debian unstable. Remaining changes: * Resynchronise with Debian unstable. Remaining changes: - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially multiple certificates rather than exactly one. - debian/patches/tls12_workarounds.patch: Workaround large client hello issues when TLS 1.1 and lower is in use - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly code. - debian/patches/arm64-support: Add basic arm64 support (no assembler) - debian/rules: Enable optimized 64bit elliptic curve code contributed by Google. * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2 in test suite since we disable it in the client. * Dropped changes: - debian/patches/CVE-2013-0169.patch: upstream. - debian/patches/fix_key_decoding_deadlock.patch: upstream. - debian/patches/CVE-2013-0166.patch: upstream.	Marc Deslauriers	1.0.1e-2ubuntu1	10 years ago
93	* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS ... * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra commit from upstream to fix regression. - CVE-2013-0169	Marc Deslauriers	1.0.1c-4ubuntu8	11 years ago
92	Enable optimized 64bit elliptic curve code contributed by Go... Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)	Dmitrijs Ledkovs	1.0.1c-4ubuntu7	11 years ago
91	debian/patches/fix_key_decoding_deadlock.patch: Fix possible... debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock when decoding public keys. (LP: #1066032)	Marc Deslauriers	1.0.1c-4ubuntu6	11 years ago
90	* REGRESSION FIX: decryption errors on AES-NI hardware (LP: ... * REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873, LP: #1133333) - debian/patches/CVE-2013-0169.patch: disabled for now until fix is available from upstream.	Marc Deslauriers	1.0.1c-4ubuntu5	11 years ago
89	* SECURITY UPDATE: denial of service via invalid OCSP key * SECURITY UPDATE: denial of service via invalid OCSP key - debian/patches/CVE-2013-0166.patch: properly handle NULL key in crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. - CVE-2013-0166 * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: massive code changes - CVE-2013-0169 * SECURITY UPDATE: denial of service via AES-NI and crafted CBC data - Fix included in CVE-2013-0169 patch - CVE-2012-2686	Marc Deslauriers	1.0.1c-4ubuntu4	11 years ago
88	Add basic arm64 support (no assembler) (LP: #1102107) Add basic arm64 support (no assembler) (LP: #1102107)	Wookey	1.0.1c-4ubuntu3	11 years ago
87	Enable arm assembly code. (LP: #1083498) (Closes: #676533) Enable arm assembly code. (LP: #1083498) (Closes: #676533)	Dmitrijs Ledkovs	1.0.1c-4ubuntu2	11 years ago
86	* Resynchronise with Debian (LP: #1077228). Remaining chang... * Resynchronise with Debian (LP: #1077228). Remaining changes: - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially multiple certificates rather than exactly one. - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. - debian/patches/tls12_workarounds.patch: Workaround large client hello issues when TLS 1.1 and lower is in use - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* * Dropped changes: - Drop openssl-doc in favour of the libssl-doc package introduced by Debian. Add Conflicts/Replaces until the next LTS release. + Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS release'	Tyler Hicks	1.0.1c-4ubuntu1	11 years ago
85	[ Tyler Hicks <tyhicks@canonical.com> ] [ Tyler Hicks <tyhicks@canonical.com> ] * debian/patches/tls12_workarounds.patch: Readd the change to check TLS1_get_client_version rather than TLS1_get_version to fix incorrect client hello cipher list truncation when TLS 1.1 and lower is in use. (LP: #1051892) [ Micah Gersten <micahg@ubuntu.com> ] * Mark Debian Vcs-* as XS-Debian-Vcs-* - update debian/control	Tyler Hicks	1.0.1c-3ubuntu2	11 years ago
84	* Resynchronise with Debian. Remaining changes: * Resynchronise with Debian. Remaining changes: - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially multiple certificates rather than exactly one. - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. - debian/patches/tls12_workarounds.patch: workaround large client hello issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and with -DOPENSSL_NO_TLS1_2_CLIENT. * Dropped upstreamed patches: - debian/patches/CVE-2012-2110.patch - debian/patches/CVE-2012-2110b.patch - debian/patches/CVE-2012-2333.patch - debian/patches/CVE-2012-0884-extra.patch - most of debian/patches/tls12_workarounds.patch	Marc Deslauriers	1.0.1c-3ubuntu1	11 years ago
83	* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.... * SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and TLS v1.2 implementation - debian/patches/CVE_2012-2333.patch: guard for integer overflow before skipping explicit IV - CVE-2012-2333 * debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen properly when encrypting CMS messages.	Steve Beattie	1.0.1-4ubuntu6	11 years ago

Older »