UbuntuUpdates.org

Package "libssl0.9.8"

Name: libssl0.9.8

Description:

SSL shared libraries
Latest version: 0.9.8o-7ubuntu3.2.14.04.1
Release: trusty (14.04)
Level: updates
Repository: universe
Head package: openssl098

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libssl0.9.8"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libssl0.9.8" in Trusty

Repository Area Version
base universe 0.9.8o-7ubuntu3.1
security universe 0.9.8o-7ubuntu3.2.14.04.1

Changelog

Version: 0.9.8o-7ubuntu3.2.14.04.1 2014-07-02 16:06:52 UTC

  openssl098 (0.9.8o-7ubuntu3.2.14.04.1) trusty-security; urgency=medium

  [ Louis Bouchard ]
  * Bring up to date with latest security patches from Ubuntu 10.04:
    (LP: #1331452)
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
    - debian/patches/CVE-2013-0169.patch: massive code changes
    - CVE-2013-0169
  * SECURITY UPDATE: denial of service via invalid OCSP key
    - debian/patches/CVE-2013-0166.patch: properly handle NULL key in
      crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
    - CVE-2013-0166
  * SECURITY UPDATE: denial of service attack in DTLS implementation
    - debian/patches/CVE_2012-2333.patch: guard for integer overflow
      before skipping explicit IV
    - CVE-2012-2333
  * SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
    - debian/patches/CVE-2012-0884.patch: use a random key if RSA
      decryption fails to avoid leaking timing information
    - debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
      errors in PKCS7_decrypt and initialize tkeylen properly when
      encrypting CMS messages.
    - CVE-2012-0884

  [ Marc Deslauriers ]
  * debian/patches/rehash_pod.patch: updated to fix FTBFS.
  * debian/patches/fix-pod-errors.patch: fix other pod files to fix FTBFS.
 -- Marc Deslauriers <email address hidden> Wed, 02 Jul 2014 09:13:28 -0400
1331452 Please backport current CVEs for Precise LTS openssl098
CVE-2014-0224 SSL/TLS MITM vulnerability
CVE-2014-0221 DTLS recursion flaw
CVE-2014-0195 DTLS invalid fragment vulnerability
CVE-2013-0169 The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider t
CVE-2013-0166 OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows
CVE-2012-2333 Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption,
CVE-2012-0884 The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain


About   -   Send Feedback to @ubuntu_updates