UbuntuUpdates.org

Package "libssl-dev"

Name: libssl-dev

Description:

Secure Sockets Layer toolkit - development files

Latest version: 1.0.2g-1ubuntu4.16
Release: xenial (16.04)
Level: security
Repository: main
Head package: openssl

Links


Download "libssl-dev"


Other versions of "libssl-dev" in Xenial

Repository Area Version
base main 1.0.2g-1ubuntu4
updates main 1.0.2g-1ubuntu4.16

Changelog

Version: 1.0.2g-1ubuntu4.11 2018-03-28 21:06:51 UTC

  openssl (1.0.2g-1ubuntu4.11) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via ASN.1 types with a recursive definition
    - debian/patches/CVE-2018-0739.patch: limit stack depth in
      crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c.
    - CVE-2018-0739

 -- Marc Deslauriers <email address hidden> Tue, 27 Mar 2018 14:18:33 -0400

Source diff to previous version
CVE-2018-0739 Constructed ASN.1 types with a recursive definition (such as can be ...

Version: 1.0.2g-1ubuntu4.10 2017-12-11 20:06:36 UTC

  openssl (1.0.2g-1ubuntu4.10) xenial-security; urgency=medium

  * SECURITY UPDATE: Read/write after SSL object in error state
    - debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*,
      add to test/Makefile.
    - debian/patches/CVE-2017-3737-1.patch: don't allow read/write after
      fatal error in ssl/ssl.h.
    - debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile,
      ssl/fatalerrtest.c, test/Makefile.
    - CVE-2017-3737
  * SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64
    - debian/patches/CVE-2017-3738.patch: fix digit correction bug in
      crypto/bn/asm/rsaz-avx2.pl.
    - CVE-2017-3738

 -- Marc Deslauriers <email address hidden> Thu, 07 Dec 2017 13:17:37 -0500

Source diff to previous version
CVE-2017-3737 OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake
CVE-2017-3738 There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected.

Version: 1.0.2g-1ubuntu4.9 2017-11-06 20:06:37 UTC

  openssl (1.0.2g-1ubuntu4.9) xenial-security; urgency=medium

  * SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
    - debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
      crypto/x509v3/v3_addr.c.
    - CVE-2017-3735
  * SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64
    - debian/patches/CVE-2017-3736.patch: fix carry bug in
      bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl.
    - CVE-2017-3736

 -- Marc Deslauriers <email address hidden> Thu, 02 Nov 2017 11:28:46 -0400

Source diff to previous version
CVE-2017-3735 While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text
CVE-2017-3736 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are a

Version: 1.0.2g-1ubuntu4.6 2017-01-31 18:06:41 UTC

  openssl (1.0.2g-1ubuntu4.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Montgomery multiplication may produce incorrect
    results
    - debian/patches/CVE-2016-7055.patch: fix logic in
      crypto/bn/asm/x86_64-mont.pl.
    - CVE-2016-7055
  * SECURITY UPDATE: DoS via warning alerts
    - debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
      warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
      ssl/ssl_locl.h.
    - debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
      type is received in ssl/s3_pkt.c.
    - CVE-2016-8610
  * SECURITY UPDATE: Truncated packet could crash via OOB read
    - debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
      crypto/evp/e_rc4_hmac_md5.c.
    - CVE-2017-3731
  * SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64
    - debian/patches/CVE-2017-3732.patch: fix carry bug in
      bn_sqr8x_internal in crypto/bn/asm/x86_64-mont5.pl.
    - CVE-2017-3732

 -- Marc Deslauriers <email address hidden> Mon, 30 Jan 2017 10:31:12 -0500

Source diff to previous version
CVE-2016-7055 Montgomery multiplication may produce incorrect results
CVE-2016-8610 SSL/TLS SSL3_AL_WARNING undefined alert DoS

Version: 1.0.2g-1ubuntu4.5 2016-09-23 16:06:26 UTC

  openssl (1.0.2g-1ubuntu4.5) xenial-security; urgency=medium

  * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
    - debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
      check in crypto/bn/bn_print.c.

 -- Marc Deslauriers <email address hidden> Fri, 23 Sep 2016 08:00:13 -0400

1626883 libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault
CVE-2016-2182 The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to



About   -   Send Feedback to @ubuntu_updates