[Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
This bug was fixed in the package openssl - 1.0.2g-1ubuntu4.4 --- openssl (1.0.2g-1ubuntu4.4) xenial-security; urgency=medium * SECURITY UPDATE: Pointer arithmetic undefined behaviour - debian/patches/CVE-2016-2177.patch: avoid undefined pointer arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c. - CVE-2016-2177 * SECURITY UPDATE: Constant time flag not preserved in DSA signing - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in crypto/dsa/dsa_ossl.c. - CVE-2016-2178 * SECURITY UPDATE: DTLS buffered message DoS - debian/patches/CVE-2016-2179.patch: fix queue handling in ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c, ssl/ssl_locl.h. - CVE-2016-2179 * SECURITY UPDATE: OOB read in TS_OBJ_print_bio() - debian/patches/CVE-2016-2180.patch: fix text handling in crypto/ts/ts_lib.c. - CVE-2016-2180 * SECURITY UPDATE: DTLS replay protection DoS - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed records in ssl/d1_pkt.c. - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c. - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h. - CVE-2016-2181 * SECURITY UPDATE: OOB write in BN_bn2dec() - debian/patches/CVE-2016-2182.patch: don't overflow buffer in crypto/bn/bn_print.c. - CVE-2016-2182 * SECURITY UPDATE: SWEET32 Mitigation - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH to MEDIUM in ssl/s3_lib.c. - CVE-2016-2183 * SECURITY UPDATE: Malformed SHA512 ticket DoS - debian/patches/CVE-2016-6302.patch: sanity check ticket length in ssl/t1_lib.c. - CVE-2016-6302 * SECURITY UPDATE: OOB write in MDC2_Update() - debian/patches/CVE-2016-6303.patch: avoid overflow in crypto/mdc2/mdc2dgst.c. - CVE-2016-6303 * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth - debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous handshake in ssl/t1_lib.c. - CVE-2016-6304 * SECURITY UPDATE: Certificate message OOB reads - debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c, ssl/s3_srvr.c. - debian/patches/CVE-2016-6306-2.patch: make message buffer slightly larger in ssl/d1_both.c, ssl/s3_both.c. - CVE-2016-6306 -- Marc Deslauriers Thu, 22 Sep 2016 08:22:22 -0400 ** Changed in: openssl (Ubuntu Xenial) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2177 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2178 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2179 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2180 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2181 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2182 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2183 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6302 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6303 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6304 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6306 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
I can confirm that 1.0.2g-1ubuntu4.3 in xenial-proposed on armhf resolves the bug I described in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
Hello Joy, or anyone else affected, Accepted openssl into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu4.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: openssl (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
Uploaded package to xenial-proposed for processing by the SRU team. ** Changed in: openssl (Ubuntu Yakkety) Status: Fix Committed => Fix Released ** Changed in: openssl (Ubuntu Xenial) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
There's an openssl package already in xenial-proposed. Once that gets published, I'll upload a fixed package for this bug for processing by the SRU team. ** Also affects: openssl (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu Yakkety) Status: New => Fix Committed ** Changed in: openssl (Ubuntu Xenial) Status: New => Confirmed ** Changed in: openssl (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs