[Bug 1550643] Re: Please backport OpenSSL SNI signature algorithms fix.

Tue, 01 Mar 2016 06:31:24 -0800 

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.35

---------------
openssl (1.0.1-4ubuntu5.35) precise-security; urgency=medium

  * SECURITY UPDATE: side channel attack on modular exponentiation
    - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
      crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
      crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
    - CVE-2016-0702
  * SECURITY UPDATE: double-free in DSA code
    - debian/patches/CVE-2016-0705.patch: fix double-free in
      crypto/dsa/dsa_ameth.c.
    - CVE-2016-0705
  * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    - debian/patches/CVE-2016-0797.patch: prevent overflow in
      crypto/bn/bn_print.c, crypto/bn/bn.h.
    - CVE-2016-0797
  * SECURITY UPDATE: memory leak in SRP database lookups
    - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
      introduce new SRP_VBASE_get1_by_user function that handled seed
      properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
      util/libeay.num, openssl.ld.
    - CVE-2016-0798
  * SECURITY UPDATE: memory issues in BIO_*printf functions
    - debian/patches/CVE-2016-0799.patch: prevent overflow in
      crypto/bio/b_print.c.
    - CVE-2016-0799
  * debian/patches/preserve_digests_for_sni.patch: preserve negotiated
    digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
    (LP: #1550643)

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Mon, 29 Feb 2016
08:01:48 -0500

** Changed in: openssl (Ubuntu Precise)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0702

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0705

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0797

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0798

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0799

** Changed in: openssl (Ubuntu Trusty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1550643

Title:
  Please backport OpenSSL SNI signature algorithms fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1550643/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to