Merge 1.0.0d-2 from debian/unstable

Bug #675566 reported by dino99 on 2010-11-15
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssl (Debian)
Fix Released
Unknown
openssl (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: openssl

Natty still have 0.9.8o

the latest is 1.0.0a with lot of bug and security fixes. Please update this package.

01-Jun-2010: OpenSSL 1.0.0a is now available, including important bug and security fixes

http://www.openssl.org/

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssl 0.9.8o-1ubuntu4.1
ProcVersionSignature: Ubuntu 2.6.37-3.11-generic-pae 2.6.37-rc1
Uname: Linux 2.6.37-3-generic-pae i686
NonfreeKernelModules: nvidia
Architecture: i386
Date: Mon Nov 15 15:46:52 2010
ProcEnviron:
 LANG=fr_FR.utf8
 SHELL=/bin/bash
SourcePackage: openssl

dino99 (9d9) wrote :
Steve Beattie (sbeattie) on 2010-11-19
Changed in openssl (Ubuntu):
importance: Undecided → Wishlist
Changed in openssl (Debian):
status: Unknown → New
panos (multimedia2004) wrote :

Just to let everyone know, a security bug has been found in openssl :

(copying from here : http://marc.info/?l=openssl-announce&m=128992699401945&w=2)

"All versions of OpenSSL supporting TLS extensions contain this vulnerability including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases."

This is fixed (again copying from the above):
"Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should update
to the OpenSSL 0.9.8p release which contains a patch to correct this issue.

Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release
which contains a patch to correct this issue."

You can find more information about releases 0.9.8p and 1.0.0b here :
http://marc.info/?l=openssl-announce&r=1&b=201011&w=2

So i believe this report should be updated to reflect the above and request openssl 1.0.0b to be included in the latest ubuntu repository (and maybe consider updating the other related openssl reports in launchpad concerning 0.9.8 versions)

dino99 (9d9) on 2010-11-20
summary: - upgrade to the latest 1.0.0a with its security fixes
+ upgrade to the latest 1.0.0b with its security fixes

I don't think so that we will get openssl 1.0.0 in natty. Rather probably in Ubuntu 11.10.

dino99 (9d9) wrote :

its hard to understand such lack about security

http://www.openssl.org/news/secadv_20101202.txt

Changed in openssl (Debian):
status: New → Fix Released
Artur Rona (ari-tczew) wrote :

@dino99, all necessary security patches will be included in openssl 0.9.8, don't be afraid.

Artur Rona (ari-tczew) on 2011-02-13
tags: added: upgrade
removed: apport-bug i386 natty
Andreas Moog (ampelbein) wrote :

debian -> ubuntu debdiff

openssl (1.0.0d-2ubuntu1) oneiric; urgency=low

  * Merge from debian/unstable, remaining changes: (LP: #675566)
    - d/libssl1.0.0.postinst:
      + Display a system restart required notification bubble
        on libssl1.0.0 upgrade.
      + Use a different priority for libssl0.9.8/restart-services
        depending on whether a desktop, or server dist-upgrade
        is being performed.
    - d/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb
      package in Debian).
    - d/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant.
    - d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions.
    - d/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
        (Closes: #465248)
      + Don't build for processors no longer supported: i486, i586
        (on i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
        (Closes: #611667)
      + Replace duplicate files in the doc directory with symlinks.
  * Fixes install of engines (LP: #769372)

 -- Andreas Moog <email address hidden> Sat, 30 Apr 2011 22:05:02 +0200

Changed in openssl (Ubuntu):
status: New → Confirmed
Andreas Moog (ampelbein) wrote :
Andreas Moog (ampelbein) on 2011-05-01
summary: - upgrade to the latest 1.0.0b with its security fixes
+ Merge 1.0.0d-2 from debian/unstable
Artur Rona (ari-tczew) wrote :

What about rdepends? Don't have to be rebuild all of them?

Andreas Moog (ampelbein) wrote :

Yes, it's a library transition, see https://wiki.ubuntu.com/UbuntuDevelopment/NBS for an explanation.

Dave Walker (davewalker) wrote :

@Andreas, nice job. Not an easy merge, and important as the current oneiric ca-certificates is not installable without this merge. Review looks good!

Dave Walker (davewalker) wrote :

Whilst I am happy, I would be more so with a secondary review from someone else, ideally in the security team. Holding off uploading.. awaiting secondary ACK.

Thanks.

Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package openssl - 1.0.0d-2ubuntu1

---------------
openssl (1.0.0d-2ubuntu1) oneiric; urgency=low

  * Resynchronise with Debian (LP: #675566). Remaining changes:
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification bubble on libssl1.0.0
        upgrade.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
      wpasupplicant.
    - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
      http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
      0.9.8 variant.
    - debian/patches/Bsymbolic-functions.patch: Link using
      -Bsymbolic-functions.
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
      .pc.
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i486, i586 (on
        i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
  * Update architectures affected by Bsymbolic-functions.patch.
  * Drop debian/patches/no-sslv2.patch; Debian now adds the 'no-ssl2'
    configure option, which compiles out SSLv2 support entirely, so this is
    no longer needed.
  * Drop openssl-doc in favour of the libssl-doc package introduced by
    Debian. Add Conflicts/Replaces until the next LTS release.

openssl (1.0.0d-2) unstable; urgency=high

  * Make c_rehash also generate the old subject hash. Gnutls applications
    seem to require it. (Closes: #611102)

openssl (1.0.0d-1) unstable; urgency=low

  * New upstream version
    - Fixes CVE-2011-0014
  * Make libssl-doc Replaces/Breaks with old libssl-dev packages
    (Closes: #607609)
  * Only export the symbols we should, instead of all.
  * Add symbol file.
  * Upload to unstable

openssl (1.0.0c-2) experimental; urgency=low

  * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
  * Always define _GNU_SOURCE, not only for Linux.
  * Drop SSL2 support (Closes: #589706)

openssl (1.0.0c-1) experimental; urgency=low

  * New upstream version (Closes: #578376)
    - New soname: Rename library packages
    - Drop patch perl-path.diff, not needed anymore
    - Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch
      and CVE-2010-4180.patch: applied upstream.
    - Update Configure for the new fields for the assembler options
      per arch. alpha now makes use of assembler.
  * Move man3 manpages and demos to libssl-doc (Closes: #470594)
  * Drop .pod files from openssl package (Closes: #518167)
  * Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch
  * Stop using BF_PTR2 on (kfreebd-)amd64.
  * Drop debian-arm from the list ...

Read more...

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.