CVE-2011-0014

Bug #718208 reported by Artur Rona on 2011-02-13
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Medium
Artur Rona
Natty
Medium
Artur Rona

Bug Description

Binary package hint: openssl

Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".

Related branches

CVE References

Artur Rona (ari-tczew) on 2011-02-13
Changed in openssl (Ubuntu):
assignee: nobody → Artur Rona (ari-tczew)
security vulnerability: no → yes
Changed in openssl (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8o-5ubuntu1

---------------
openssl (0.9.8o-5ubuntu1) natty; urgency=low

  * Merge from debian unstable. Remaining changes: (LP: #718205)
    - d/libssl0.9.8.postinst:
      + Display a system restart required notification bubble
        on libssl0.9.8 upgrade.
      + Use a different priority for libssl0.9.8/restart-services
        depending on whether a desktop, or server dist-upgrade
        is being performed.
    - d/{libssl0.9.8-udeb.dirs, control, rules}: Create
      libssl0.9.8-udeb, for the benefit of wget-udeb (no wget-udeb
      package in Debian).
    - d/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files,
      rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant.
    - d/{control, openssl-doc.docs, openssl.docs, openssl.dirs}:
      + Ship documentation in openssl-doc, suggested by the package.
       (Closes: #470594)
    - d/p/aesni.patch: Backport Intel AES-NI support from
      http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
    - d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions.
    - d/p/perlpath-quilt.patch: Don't change perl #! paths under .pc.
    - d/p/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS.
      The protocol is unsafe and extremely deprecated. (Closes: #589706)
    - d/rules:
      + Disable SSLv2 during compile. (Closes: #589706)
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
        (Closes: #465248)
      + Don't build for processors no longer supported: i486, i586
        (on i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
        (Closes: #611667)
      + Replace duplicate files in the doc directory with symlinks.
  * This upload fixed CVE: (LP: #718208)
    - CVE-2011-0014

openssl (0.9.8o-5) unstable; urgency=low

  * Fix OCSP stapling parse error (CVE-2011-0014)
 -- Artur Rona <email address hidden> Sun, 13 Feb 2011 16:10:24 +0100

Changed in openssl (Ubuntu Natty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.