landing-team-changes team mailing list archive

Thread
Date
[stable-overlay] openssl (1.0.1f-1ubuntu11.6)

To: landing-team-changes@xxxxxxxxxxxxxxxxxxx
From: ubuntu.landing.team@xxxxxxxxx
Date: Thu, 12 May 2016 07:00:08 -0700 (PDT)
Uploaded to the Stable Phone Overlay PPA (~ci-train-ppa-service/ubuntu/stable-phone-overlay vivid) archive

---------------
Format: 1.8
Date: Tue, 10 May 2016 22:52:07 -0700
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source
Version: 1.0.1f-1ubuntu11.6
Distribution: vivid
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@xxxxxxxxxxxxxxxx>
Changed-By: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Description:
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 libssl1.0.0-udeb - ssl shared library - udeb (udeb)
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Launchpad-Bugs-Fixed: 1550643 1579163
Changes:
 openssl (1.0.1f-1ubuntu11.6) vivid; urgency=medium
 .
   [ Marc Deslauriers ]
   * SECURITY UPDATE: EVP_EncodeUpdate overflow (LP: #1579163)
     - debian/patches/CVE-2016-2105.patch: properly check lengths in
       crypto/evp/encode.c, add documentation to
       doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
     - CVE-2016-2105
   * SECURITY UPDATE: EVP_EncryptUpdate overflow
     - debian/patches/CVE-2016-2106.patch: fix overflow in
       crypto/evp/evp_enc.c.
     - CVE-2016-2106
   * SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
     - debian/patches/CVE-2016-2107.patch: check that there are enough
       padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c.
     - CVE-2016-2107
   * SECURITY UPDATE: Memory corruption in the ASN.1 encoder
     - debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
       marked as negative in crypto/asn1/a_int.c.
     - debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
       crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
       crypto/asn1/tasn_enc.c.
     - CVE-2016-2108
   * SECURITY UPDATE: ASN.1 BIO excessive memory allocation
     - debian/patches/CVE-2016-2109.patch: properly handle large amounts of
       data in crypto/asn1/a_d2i_fp.c.
     - CVE-2016-2109
   * debian/patches/min_1024_dh_size.patch: change minimum DH size from 768
     to 1024.
   * SECURITY UPDATE: side channel attack on modular exponentiation
     - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
       crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
       crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
     - CVE-2016-0702
   * SECURITY UPDATE: double-free in DSA code
     - debian/patches/CVE-2016-0705.patch: fix double-free in
       crypto/dsa/dsa_ameth.c.
     - CVE-2016-0705
   * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
     - debian/patches/CVE-2016-0797.patch: prevent overflow in
       crypto/bn/bn_print.c, crypto/bn/bn.h.
     - CVE-2016-0797
   * SECURITY UPDATE: memory leak in SRP database lookups
     - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
       introduce new SRP_VBASE_get1_by_user function that handled seed
       properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
       util/libeay.num, openssl.ld.
     - CVE-2016-0798
   * SECURITY UPDATE: memory issues in BIO_*printf functions
     - debian/patches/CVE-2016-0799.patch: prevent overflow in
       crypto/bio/b_print.c.
     - CVE-2016-0799
   * debian/patches/preserve_digests_for_sni.patch: preserve negotiated
     digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
     (LP: #1550643)
   * debian/patches/alt-cert-chains-*.patch: backport series of upstream
     commits to add alternate chains support. This will allow the future
     removal of 1024-bit RSA keys from the ca-certificates package.
 .
   [ Tyler Hicks ]
   * debian/patches/update-expired-smime-test-certs.patch: Update test
     certificates that have expired and caused build test failures.
Checksums-Sha1:
 b5937caea2a22f69d500299bedfd5bab9b3fde55 2429 openssl_1.0.1f-1ubuntu11.6.dsc
 9cb236d09dc0979b41028d5840bcbfd329250d58 222736 openssl_1.0.1f-1ubuntu11.6.debian.tar.xz
Checksums-Sha256:
 2ffd449a9754a7c175774c6a86c64b7ab0dc454a276983d00dcbc31746274aed 2429 openssl_1.0.1f-1ubuntu11.6.dsc
 1a8461df88bc7c735a419ef23a4fa30340b56d7d42f4bd5bb989489978b96ef6 222736 openssl_1.0.1f-1ubuntu11.6.debian.tar.xz
Files:
 a4099ec2e6a715e66ba9563b23ddce42 2429 utils optional openssl_1.0.1f-1ubuntu11.6.dsc
 3a4d4613c0f5825140fbd7899c6da3ed 222736 utils optional openssl_1.0.1f-1ubuntu11.6.debian.tar.xz
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@xxxxxxxxxxxxxxxxxxxxxxx>