Package "libssl0.9.8-dbg"
Name: |
libssl0.9.8-dbg
|
Description: |
Symbol tables for libssl and libcrypto
|
Latest version: |
0.9.8o-7ubuntu3.2.14.04.1 |
Release: |
trusty (14.04) |
Level: |
security |
Repository: |
universe |
Head package: |
openssl098 |
Links
Download "libssl0.9.8-dbg"
Other versions of "libssl0.9.8-dbg" in Trusty
Changelog
openssl098 (0.9.8o-7ubuntu3.2.14.04.1) trusty-security; urgency=medium
[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
(LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
ssl/s3_clnt.c.
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
sending finished ssl/s3_clnt.c.
- CVE-2014-0224
* SECURITY UPDATE: denial of service via DTLS recursion flaw
- debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
recursion in ssl/d1_both.c.
- CVE-2014-0221
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/CVE-2013-0166.patch: properly handle NULL key in
crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: denial of service attack in DTLS implementation
- debian/patches/CVE_2012-2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
- debian/patches/CVE-2012-0884.patch: use a random key if RSA
decryption fails to avoid leaking timing information
- debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
errors in PKCS7_decrypt and initialize tkeylen properly when
encrypting CMS messages.
- CVE-2012-0884
[ Marc Deslauriers ]
* debian/patches/rehash_pod.patch: updated to fix FTBFS.
* debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.
-- Marc Deslauriers <email address hidden> Wed, 02 Jul 2014 09:13:28 -0400
|
1331452 |
Please backport current CVEs for Precise LTS openssl098 |
CVE-2014-0224 |
SSL/TLS MITM vulnerability |
CVE-2014-0221 |
DTLS recursion flaw |
CVE-2014-0195 |
DTLS invalid fragment vulnerability |
CVE-2013-0169 |
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider t |
CVE-2013-0166 |
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows |
CVE-2012-2333 |
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, |
CVE-2012-0884 |
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain |
|
About
-
Send Feedback to @ubuntu_updates