Update OpenSSL to fix security vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
The Dell Mini Project |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
Openssl has been updated in generic hardy to version 0.9.8g-4ubuntu3.7 to fix several security vulnerabilities (see below). Openssl is still in version 0.9.8g-4ubuntu3.5 in hardy for the mini.
Changelog:
0.9.8g-4ubuntu3.7) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via memory consumption from large
number of future epoch DTLS records.
- crypto/pqueue.*: add new pqueue_size counter function.
- ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
- http://
- CVE-2009-1377
* SECURITY UPDATE: denial of service via memory consumption from
duplicate or invalid sequence numbers in DTLS records.
- ssl/d1_both.c: discard message if it's a duplicate or too far in the
future.
- http://
- CVE-2009-1378
* SECURITY UPDATE: denial of service or other impact via use-after-free
in dtls1_retrieve_
- ssl/d1_both.c: use temp frag_len instead of freed frag.
- http://
- CVE-2009-1379
* SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
that occurs before ClientHello.
- ssl/s3_pkt.c: abort if s->session is NULL.
- ssl/{ssl.
- http://
- CVE-2009-1386
* SECURITY UPDATE: denial of service via an out-of-sequence DTLS
handshake message.
- ssl/d1_both.c: don't buffer fragments with no data.
- http://
- CVE-2009-1387
security vulnerability: | no → yes |
Changed in dell-mini: | |
status: | New → Confirmed |
In proposed repository.