Univention Corporate Server 3.3 erratum 26 (security)

This update addresses the following issues by updating OpenSSL to the code of
version 1.0.1t-1:
* Denial of service in DTLS (CVE-2014-3571, CVE-2015-0206)
* ECDHE can be downgraded to ECDH, resulting in a loss of forward secrecy
  (CVE-2014-3572)
* Weaker RSA keys can be negotiated by the SSL/TLS server
  (CVE-2015-0204)
* An OpenSSL server will accept a DH certificate for client authentication
  without the certificate verify message (CVE-2015-0205)
* Certificate fingerprints can be modified (CVE-2014-8275)
* Bignum squaring may produce incorrect results (CVE-2014-3570)
* Remote denial of service (integer overflow and application crash) or
  unspecified other impact (CVE-2016-2177)
* Potential timing side-channel attack by local users on DSA private key via
  dsa_sign_setup function in crypto/dsa/dsa_ossl.c (CVE-2016-2178)
* Remote denial of service (memory consumption) by maintaining many crafted
  DTLS sessions simultaneously (CVE-2016-2179)
* Remote denial of service (out-of-bounds read and application crash) via a
  crafted timestamp file that is mishandled by the "openssl ts" command
  (CVE-2016-2180)
* Remote denial of service (false-positive packet drops) via spoofed DTLS
  records (CVE-2016-2181)
* Remote denial of service (out-of-bounds write and application crash) or
  unspecified other impact via BN_bn2dec function (CVE-2016-2182)
* Remote denial of service via a ticket that is too short (CVE-2016-6302)
* Remote denial of service (out-of-bounds write and application crash) or
  unspecified other impact via MDC2_Update function (CVE-2016-6303)
* Remote denial of service (memory consumption) via large OCSP Status Request
  extensions (CVE-2016-6304)
* Remote denial of service (out-of-bounds read) via crafted certificate
  operations (CVE-2016-6306)
The version number of the package is kept at 1.0.1e-2 to ensure a defined
update path to UCS 4.x.