OK, I have managed to test this by installing the openssl tools from
lucid, and running a slightly modified QRT script.
Looks good, I'm going to release it now. Thanks!
** Package changed: openssl (Ubuntu) = openssl098 (Ubuntu)
--
You received this bug notification because you are a member of
This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu3.2
---
openssl098 (0.9.8o-7ubuntu3.2) precise-security; urgency=medium
* SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
** Changed in: openssl098 (Ubuntu)
Status: Invalid = Confirmed
** Also affects: openssl098 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: openssl098 (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: openssl098 (Ubuntu Utopic)
** Branch linked: lp:ubuntu/precise-security/openssl098
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1331452
Title:
Please backport current CVEs for Precise LTS openssl098
To manage notifications
** Changed in: openssl098 (Ubuntu Saucy)
Status: New = Confirmed
** Changed in: openssl098 (Ubuntu Trusty)
Status: New = Confirmed
** Changed in: openssl098 (Ubuntu Saucy)
Assignee: (unassigned) = Marc Deslauriers (mdeslaur)
** Changed in: openssl098 (Ubuntu Trusty)
** Branch linked: lp:~ubuntu-branches/ubuntu/utopic/openssl098/utopic-
proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1331452
Title:
Please backport current CVEs for Precise LTS openssl098
This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu3.2.13.10.1
---
openssl098 (0.9.8o-7ubuntu3.2.13.10.1) saucy-security; urgency=medium
* SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
- debian/patches/CVE-2014-0224-regression2.patch: accept
This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu3.2.14.04.1
---
openssl098 (0.9.8o-7ubuntu3.2.14.04.1) trusty-security; urgency=medium
[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
(LP: #1331452)
* SECURITY UPDATE: MITM
This bug was fixed in the package openssl098 - 0.9.8o-7ubuntu4
---
openssl098 (0.9.8o-7ubuntu4) utopic; urgency=medium
[ Louis Bouchard ]
* Bring up to date with latest security patches from Ubuntu 10.04:
(LP: #1331452)
* SECURITY UPDATE: MITM via change cipher spec
-
It appears one of the patches added some new errors to the build logs:
...
./testssl: 128: [: SSLv3: unexpected operator
Testing AES256-SHA
Available compression methods:
1: zlib compression
TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 1024 bit RSA
1 handshakes of 256 bytes done
./testssl: 128: [:
Thanks for the updated debdiff Marc.
Here is the new debdiff with this last regression patch included.
** Patch removed: openssl098_lp1331452_update_cve_v3.debdiff
Hi Seth,
Sorry for all those back forth. I was sure I had imported the patch
straight from the Lucid source package. I must have messed up somewhere.
Here is another stab at it. Let's hope that it is ok this time once
again sorry.
** Patch removed: openssl098_lp1331452_update_cve_v2.debdiff
There is a regression fix that got published upstream which I'll release
an update for on monday. I suspect you're going to need to add it. Here
is the upstream commit:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=70d923fb0359ed68e59b8c59d1687ebff6f8d952
And here is my planned lucid
Thanks for taking on this update; I have a few questions:
The changelog references a patch that isn't included:
+- debian/patches/fix_renegotiation.patch: add upstream commit to fix
+ renegotiation in ssl/s3_clnt.c, ssl/t1_lib.c.
Why was this patch dropped? It feels accidental, since
** Changed in: openssl (Ubuntu Precise)
Status: Incomplete = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1331452
Title:
Please backport current CVEs for Precise LTS openssl098
** Patch removed: openssl098_lp1331452_update_cve.debdiff
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1331452/+attachment/4134168/+files/openssl098_lp1331452_update_cve.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Seth, thanks for looking at this.
The mention of debian/patches/fix_renegotiation.patch in the changelog
is a cut and paste mistake from my part. I only backported the CVEs from
Lucid, not the other patches. If you think that the other patches are
required let me know and I'll see what I can do.
New debdiff with suggested changes
** Patch added: openssl098_lp1331452_update_cve_v2.debdiff
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1331452/+attachment/4134736/+files/openssl098_lp1331452_update_cve_v2.debdiff
--
You received this bug notification because you are a member
New debdiff with suggested changes
** Patch removed: openssl098_lp1331452_update_cve_v2.debdiff
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1331452/+attachment/4134736/+files/openssl098_lp1331452_update_cve_v2.debdiff
** Patch added: openssl098_lp1331452_update_cve_v2.debdiff
The fix_renegotiation patch is most probably needed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1331452
Title:
Please backport current CVEs for Precise LTS openssl098
To manage notifications
@mdeslaur:
Not that I was aware of that, but after trying to import the patch, it
turns out that that fix_renegotiation patch is already present in the
upstream tarball. So I think that removing that mention out of the
changelog remains valid.
--
You received this bug notification because you
Loius, thanks for taking another stab at this, but it still doesn't seem
right: cms_smime.c had 37 added lines in the upstream patch, but this
includes only three new added lines and no actual functional changes:
+Index: openssl098-0.9.8o/crypto/cms/cms_smime.c
debdiff of missing CVE's taken from Lucid
** Patch added: openssl098_lp1331452_update_cve.debdiff
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1331452/+attachment/4134168/+files/openssl098_lp1331452_update_cve.debdiff
--
You received this bug notification because you are a member
23 matches
Mail list logo