Ubuntu
openssl package

Change logs for openssl source package in Breezy

  1. Breezy (5.10)
  2. Change log 
  • openssl (0.9.7g-1ubuntu1.5) breezy-security; urgency=low

  * SECURITY UPDATE: Previous update did not completely fix CVE-2006-2940.
  * crypto/rsa/rsa_eay.c: Apply max. modulus bits checking to
    RSA_eay_public_decrypt() instead of RSA_eay_private_encrypt(). Thanks to
    Mark J. Cox for noticing!
  * crypto/dh/dh_key.c: Fix return value to prevent free'ing an uninit'ed
    pointer.

 -- Martin Pitt <email address hidden>   Wed,  4 Oct 2006 08:26:54 +0000
  • openssl (0.9.7g-1ubuntu1.3) breezy-security; urgency=low

  * SECURITY UPDATE: Remote arbitrary code execution, remote DoS.
  * crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
    an infinite loop in some circumstances. [CVE-2006-2937]
  * ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
    handle invalid long cipher list strings. [CVE-2006-3738]
  * ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
    avoid client crash with malicious server responses. [CVE-2006-4343]
  * Certain types of public key could take disproportionate amounts of time to
    process. Apply patch from Bodo Moeller to impose limits to public key type
    values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
  * Updated patch in previous package version to fix a few corner-case
    regressions. (This reverts the changes to rsa_eay.c/rsa.h/rsa_err.c, which
    were determined to not be necessary).

 -- Martin Pitt <email address hidden>   Wed, 27 Sep 2006 10:51:00 +0000
  • openssl (0.9.7g-1ubuntu1.2) breezy-security; urgency=low

  * SECURITY UPDATE: signature forgery in some cases.
  * Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
    - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
      applications from incorrectly verifying the certificate.
  * References:
    CVE-2006-4339
    http://www.openssl.org/news/secadv_20060905.txt

 -- Martin Pitt <email address hidden>   Tue,  5 Sep 2006 12:16:57 +0000
  • openssl (0.9.7g-1ubuntu1.1) breezy-security; urgency=low


  * SECURITY UPDATE: Fix cryptographic weakness.
  * ssl/s23_srvr.c:
    - When using SSL_OP_MSIE_SSLV2_RSA_PADDING, do not disable the
      protocol-version rollback check, so that a man-in-the-middle cannot
      force a client and server to fall back to the insecure SSL 2.0 protocol.
    - Problem discovered by Yutaka Oiwa.
  * References:
    CAN-2005-2969
    http://www.openssl.org/news/secadv_20051011.txt

 -- Martin Pitt <email address hidden>  Thu, 13 Oct 2005 09:33:30 +0000
  • openssl (0.9.7g-1ubuntu1) breezy; urgency=low


  * apps/openssl.cnf: Change CA and req default message digest algorithm to
    SHA-1 since MD5 is deemed insecure. (Ubuntu #13593)
    
 -- Martin Pitt <email address hidden>  Wed, 24 Aug 2005 09:57:52 +0200