openssl097 (0.9.7g-5ubuntu1.1) dapper-security; urgency=low
.
* SECURITY UPDATE: Multiple vulnerabilities.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
applications from incorrectly verifying the certificate. [CVE-2006-4339]
- http://www.openssl.org/news/secadv_20060905.txt
* crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
an infinite loop in some circumstances. [CVE-2006-2937]
* ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
handle invalid long cipher list strings. [CVE-2006-3738]
* ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
avoid client crash with malicious server responses. [CVE-2006-4343]
* Certain types of public key could take disproportionate amounts of time to
process. Apply patch from Bodo Moeller to impose limits to public key type
values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
Just released, should be on the mirrors in about two hours.
openssl097 (0.9.7g-5ubuntu1.1) dapper-security; urgency=low www.openssl. org/news/ patch-CVE- 2006-4339. txt: www.openssl. org/news/ secadv_ 20060905. txt asn1/tasn_ dec.c, asn1_d2i_ ex_primitive( ): Initialize 'ret' to avoid shared_ ciphers( ): Fix len comparison to correctly
.
* SECURITY UPDATE: Multiple vulnerabilities.
* Apply http://
- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
applications from incorrectly verifying the certificate. [CVE-2006-4339]
- http://
* crypto/
an infinite loop in some circumstances. [CVE-2006-2937]
* ssl/ssl_lib.c, SSL_get_
handle invalid long cipher list strings. [CVE-2006-3738]
* ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
avoid client crash with malicious server responses. [CVE-2006-4343]
* Certain types of public key could take disproportionate amounts of time to
process. Apply patch from Bodo Moeller to impose limits to public key type
values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
Just released, should be on the mirrors in about two hours.