Ubuntu
openssl package

Merge openssl 0.9.8o-3 (main) from Debian unstable (main)

Bug #677756 reported by Steve Beattie
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: openssl

This version includes a fix for CVE-2010-3864 as well as re-enabling the engines in openssl.

openssl (0.9.8o-3) unstable; urgency=high

   * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
   * Re-add the engines. They were missing since 0.9.8m-1.
     Patch by Joerg Schneider. (Closes: #603693)
   * Not all architectures were build using -g (Closes: #570702)
   * Add powerpcspe support (Closes: #579805)
   * Add armhf support (Closes: #596881)
   * Update translations:
     - Brazilian Portuguese (Closes: #592154)
     - Danish (Closes: #599459)
     - Vietnamese (Closes: #601536)
     - Arabic (Closes: #596166)
   * Generate the proper stamp file so that everything doesn't get build twice.

 -- Kurt Roeckx <email address hidden> Tue, 16 Nov 2010 19:20:55 +0100
openssl (0.9.8o-2) unstable; urgency=high

   * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)

 -- Kurt Roeckx <email address hidden> Thu, 26 Aug 2010 18:25:29 +0200

See original description
Tags: patch

CVE References

Revision history for this message
Steve Beattie (sbeattie) wrote :

Here is the debdiff against openssl 0.9.8o-1ubuntu4.1

description: updated
Changed in openssl (Ubuntu):
status: New → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :

Steve, could you attach debdiff debian - ubuntu?

summary: - Merge openssl 0.9.8o-3 from debian unstable
+ Merge openssl 0.9.8o-3 (main) from Debian unstable (main)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Artur, attached is the debdiff from openssl_0.9.8o-3 in debian unstable. Thanks!

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Artur Rona (ari-tczew) wrote :

I guess that your debdiff is ready to review, right?

Changed in openssl (Ubuntu):
status: In Progress → Confirmed
Artur Rona (ari-tczew)
Changed in openssl (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Luke Yelavich (themuso) wrote :

Thanks for your work, will review this now.

Changed in openssl (Ubuntu):
assignee: nobody → Luke Yelavich (themuso)
status: Confirmed → In Progress
Revision history for this message
Luke Yelavich (themuso) wrote :

Looks good, uploading. Thanks for your work.

Changed in openssl (Ubuntu):
assignee: Luke Yelavich (themuso) → nobody
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8o-3ubuntu1

---------------
openssl (0.9.8o-3ubuntu1) natty; urgency=low

  * Merge from debian unstable (LP: #677756). Remaining changes:
    - debian/patches/Bsymbolic-functions.patch: Link using
      -Bsymbolic-functions (refreshed)
    - Use a different priority for libssl0.9.8/restart-services
      depending on whether a desktop, or server dist-upgrade is being
      performed.
    - Display a system restart required notification bubble on libssl0.9.8
      upgrade.
    - Don't build for processors no longer supported: i486, i586
      (on i386), v8 (on sparc).
    - Create libssl0.9.8-udeb, for the benefit of wget-udeb (no
      wget-udeb package in Debian)
    - Replace duplicate files in the doc directory with symlinks.
    - Move runtime libraries to /lib, for the benefit of wpasupplicant
    - Ship documentation in openssl-doc, suggested by the package.
      (Debian bug 470594)
    - Use host compiler when cross-building (patch from Neil Williams in
      Debian bug 465248).
    - Don't run 'make test' when cross-building.
    - debian/patches/aesni.patch: Backport Intel AES-NI support from
      http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths
      under .pc.
    - debian/patches/no-sslv2.patch: disable SSLv2 to match NSS
      and GnuTLS. The protocol is unsafe and extremely deprecated.
      (Debian bug 589706)
  * Dropped patches, now upstream:
    - debian/patches/CVE-2010-2939.patch (Debian patch is identically
      named)

openssl (0.9.8o-3) unstable; urgency=high

  * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
  * Re-add the engines. They were missing since 0.9.8m-1.
    Patch by Joerg Schneider. (Closes: #603693)
  * Not all architectures were build using -g (Closes: #570702)
  * Add powerpcspe support (Closes: #579805)
  * Add armhf support (Closes: #596881)
  * Update translations:
    - Brazilian Portuguese (Closes: #592154)
    - Danish (Closes: #599459)
    - Vietnamese (Closes: #601536)
    - Arabic (Closes: #596166)
  * Generate the proper stamp file so that everything doesn't get build twice.

openssl (0.9.8o-2) unstable; urgency=high

  * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)
 -- Steve Beattie <email address hidden> Thu, 18 Nov 2010 12:54:37 -0800

Changed in openssl (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.