Please merge openssl 1.0.0e-2 from debian

Bug #850608 reported by Steve Beattie on 2011-09-15
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
High
Unassigned
Nominated for Oneiric by Steve Beattie

Bug Description

openssl 1.0.0e-2 fixes CVE-2011-1945, CVE-2011-3207 and CVE-2011-3210, as well as includes blacklisting of DigiNotar certificates (to catch some compromised subsidiary DigiNotar certificates that were cross-signed by other CAs; thus the removal of the DigiNotar CA certificate from ca-certificates won't block their usage).

The debian changes since 1.0.0d-2 are all bugfixes:

openssl (1.0.0e-2) unstable; urgency=low

   * Add a missing $(DEB_HOST_MULTIARCH)

 -- Kurt Roeckx <email address hidden> Sat, 10 Sep 2011 17:02:29 +0200
openssl (1.0.0e-1) unstable; urgency=low

   * New upstream version
     - Fix bug where CRLs with nextUpdate in the past are sometimes accepted
       by initialising X509_STORE_CTX properly. (CVE-2011-3207)
     - Fix SSL memory handling for (EC)DH ciphersuites, in particular
       for multi-threaded use of ECDH. (CVE-2011-3210)
     - Add protection against ECDSA timing attacks (CVE-2011-1945)
   * Block DigiNotar certifiates. Patch from
     Raphael Geissert <email address hidden>
   * Generate hashes for all certs in a file (Closes: #628780, #594524)
     Patch from Klaus Ethgen <email address hidden>
   * Add multiarch support (Closs: #638137)
     Patch from Steve Langasek / Ubuntu
   * Symbols from the gost engine were removed because it didn't have
     a linker file. Thanks to Roman I Khimov <email address hidden>
     (Closes: #631503)
   * Add support for s390x. Patch from Aurelien Jarno <email address hidden>
     (Closes: #641100)
   * Add build-arch and build-indep targets to the rules file.

 -- Kurt Roeckx <email address hidden> Sat, 10 Sep 2011 12:03:13 +0200
openssl (1.0.0d-3) unstable; urgency=low

   * Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
   * Apply patches from Scott Schaefer <email address hidden> to
     fix various pod and spelling errors. (Closes: #622820, #605561)
   * Add missing symbols for the engines (Closes: #623038)
   * More spelling fixes from Scott Schaefer (Closes: #395424)
   * Patch from Scott Schaefer to better document pkcs12 password options
     (Closes: #462489)
   * Document dgst -hmac option. Patch by Thorsten Glaser <email address hidden>
     (Closes: #529586)

 -- Kurt Roeckx <email address hidden> Mon, 13 Jun 2011 12:39:54 +0200

and the upstream release 1.0.0e is a bugfix-only release as well:

+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+ *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+ by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ [Kaspar Brand <email address hidden>]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH. (CVE-2011-3210)
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+ signature public key algorithm by using OID xref utilities instead.
+ Before this you could only use some ECC ciphersuites with SHA1 only.
+ [Steve Henson]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://eprint.iacr.org/2011/232.pdf
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
  Changes between 1.0.0c and 1.0.0d [8 Feb 2011]

Related branches

CVE References

Steve Beattie (sbeattie) wrote :

Merge request has been attached. I have tested the result of the merge builds successfully with no changes in the results of the openssl build time regression tests as well as the openssl tests in the lp:qa-regression-testing branch.

Changed in openssl (Ubuntu):
status: New → In Progress
importance: Undecided → High
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package openssl - 1.0.0e-2ubuntu1

---------------
openssl (1.0.0e-2ubuntu1) oneiric; urgency=low

  * Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and
    CVE-2011-3210 (LP: #850608). Remaining changes:
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification bubble on libssl1.0.0
        upgrade.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
      wpasupplicant.
    - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
      http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
      0.9.8 variant.
    - debian/patches/Bsymbolic-functions.patch: Link using
      -Bsymbolic-functions.
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
      .pc.
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i486, i586 (on
        i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
  * debian/libssl1.0.0.postinst: only display restart notification on
    servers (LP: #244250)

openssl (1.0.0e-2) unstable; urgency=low

  * Add a missing $(DEB_HOST_MULTIARCH)

openssl (1.0.0e-1) unstable; urgency=low

  * New upstream version
    - Fix bug where CRLs with nextUpdate in the past are sometimes accepted
      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
    - Fix SSL memory handling for (EC)DH ciphersuites, in particular
      for multi-threaded use of ECDH. (CVE-2011-3210)
    - Add protection against ECDSA timing attacks (CVE-2011-1945)
  * Block DigiNotar certifiates. Patch from
    Raphael Geissert <email address hidden>
  * Generate hashes for all certs in a file (Closes: #628780, #594524)
    Patch from Klaus Ethgen <email address hidden>
  * Add multiarch support (Closs: #638137)
    Patch from Steve Langasek / Ubuntu
  * Symbols from the gost engine were removed because it didn't have
    a linker file. Thanks to Roman I Khimov <email address hidden>
    (Closes: #631503)
  * Add support for s390x. Patch from Aurelien Jarno <email address hidden>
    (Closes: #641100)
  * Add build-arch and build-indep targets to the rules file.

openssl (1.0.0d-3) unstable; urgency=low

  * Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
  * Apply patches from Scott Schaefer <email address hidden> to
    fix various pod and spelling errors. (Closes: #622820, #605561)
  * Add missing symbols for the engines (Closes: #623038)
  * More spelling fixes from Scott Schaefer (Closes: #395424)
  * Patch from Scott Schaefer to better document pkcs12 password options
    (...

Read more...

Changed in openssl (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.