diff -Nru openssl-1.0.1c/debian/changelog openssl-1.0.1c/debian/changelog --- openssl-1.0.1c/debian/changelog 2012-07-29 05:33:38.000000000 -0700 +++ openssl-1.0.1c/debian/changelog 2012-11-09 14:49:14.000000000 -0800 @@ -1,3 +1,43 @@ +openssl (1.0.1c-4ubuntu1) raring; urgency=low + + * Resynchronise with Debian (LP: #1077228). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + - debian/patches/tls12_workarounds.patch: Workaround large client hello + issues when TLS 1.1 and lower is in use + - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* + * Dropped changes: + - Drop openssl-doc in favour of the libssl-doc package introduced by + Debian. Add Conflicts/Replaces until the next LTS release. + + Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS + release' + + -- Tyler Hicks Fri, 09 Nov 2012 14:49:13 -0800 + openssl (1.0.1c-4) unstable; urgency=low * Fix the configure rules for alpha (Closes: #672710) @@ -12,6 +52,61 @@ -- Kurt Roeckx Tue, 17 Jul 2012 11:49:19 +0200 +openssl (1.0.1c-3ubuntu2) quantal; urgency=low + + [ Tyler Hicks ] + * debian/patches/tls12_workarounds.patch: Readd the change to check + TLS1_get_client_version rather than TLS1_get_version to fix incorrect + client hello cipher list truncation when TLS 1.1 and lower is in use. + (LP: #1051892) + + [ Micah Gersten ] + * Mark Debian Vcs-* as XS-Debian-Vcs-* + - update debian/control + + -- Tyler Hicks Thu, 04 Oct 2012 10:34:57 -0700 + +openssl (1.0.1c-3ubuntu1) quantal; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + - debian/patches/tls12_workarounds.patch: workaround large client hello + issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and + with -DOPENSSL_NO_TLS1_2_CLIENT. + * Dropped upstreamed patches: + - debian/patches/CVE-2012-2110.patch + - debian/patches/CVE-2012-2110b.patch + - debian/patches/CVE-2012-2333.patch + - debian/patches/CVE-2012-0884-extra.patch + - most of debian/patches/tls12_workarounds.patch + + -- Marc Deslauriers Fri, 29 Jun 2012 13:01:30 -0400 + openssl (1.0.1c-3) unstable; urgency=low * Disable padlock engine again, causes problems for hosts not supporting it. @@ -67,6 +162,93 @@ -- Kurt Roeckx Thu, 19 Apr 2012 19:54:12 +0200 +openssl (1.0.1-4ubuntu6) quantal; urgency=low + + * SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and + TLS v1.2 implementation + - debian/patches/CVE_2012-2333.patch: guard for integer overflow + before skipping explicit IV + - CVE-2012-2333 + * debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen + properly when encrypting CMS messages. + + -- Steve Beattie Thu, 24 May 2012 16:05:04 -0700 + +openssl (1.0.1-4ubuntu5) precise-proposed; urgency=low + + * debian/patches/CVE-2012-2110b.patch: Use correct error code in + BUF_MEM_grow_clean() + + -- Jamie Strandboge Tue, 24 Apr 2012 08:29:32 -0500 + +openssl (1.0.1-4ubuntu4) precise-proposed; urgency=low + + * Check TLS1_get_client_version rather than TLS1_get_version for client + hello cipher list truncation, in a further attempt to get things working + again for everyone (LP: #986147). + + -- Colin Watson Tue, 24 Apr 2012 14:05:50 +0100 + +openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low + + * SECURITY UPDATE: fix various overflows + - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c, + crypto/buffer.c and crypto/mem.c to verify size of lengths + - CVE-2012-2110 + + -- Jamie Strandboge Thu, 19 Apr 2012 10:31:06 -0500 + +openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low + + * Backport more upstream patches to work around TLS 1.2 failures + (LP #965371): + - Do not use record version number > TLS 1.0 in initial client hello: + some (but not all) hanging servers will now work. + - Truncate the number of ciphers sent in the client hello to 50. Most + broken servers should now work. + - Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. + * Don't re-enable TLS 1.2 client support by default yet, since more of the + sites listed in the above bug and its duplicates still fail if I do that + versus leaving it disabled. + + -- Colin Watson Wed, 18 Apr 2012 15:03:56 +0100 + +openssl (1.0.1-4ubuntu1) precise; urgency=low + + * Resynchronise with Debian (LP: #968753). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + - Experimental workaround to large client hello issue: if + OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients + only. + - Compile with -DOPENSSL_NO_TLS1_2_CLIENT. + + -- Colin Watson Tue, 10 Apr 2012 20:50:52 +0100 + openssl (1.0.1-4) unstable; urgency=low * Use official patch for the vpaes problem, also covering amd64. @@ -81,6 +263,70 @@ -- Kurt Roeckx Sat, 31 Mar 2012 18:35:59 +0200 +openssl (1.0.1-2ubuntu4) precise; urgency=low + + * Pass cross-compiling options to 'make install' as well, since apparently + it likes to rebuild fips_premain_dso. + + -- Colin Watson Sat, 31 Mar 2012 00:48:38 +0100 + +openssl (1.0.1-2ubuntu3) precise; urgency=low + + * Temporarily work around TLS 1.2 failures as suggested by upstream + (LP #965371): + - Use client version when deciding whether to send supported signature + algorithms extension. + - Experimental workaround to large client hello issue: if + OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients + only. + - Compile with -DOPENSSL_NO_TLS1_2_CLIENT. + This fixes most of the reported problems, but does not fix the case of + servers that reject version numbers they don't support rather than + trying to negotiate a lower version (e.g. www.mediafire.com). + + -- Colin Watson Fri, 30 Mar 2012 17:11:45 +0100 + +openssl (1.0.1-2ubuntu2) precise; urgency=low + + * Remove compat symlinks from /usr/lib to /lib, as they cause + some serious issued with symbol generation, and are not needed. + * Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + + -- Adam Conrad Fri, 23 Mar 2012 21:39:39 -0600 + +openssl (1.0.1-2ubuntu1) precise; urgency=low + + * Resynchronise with Debian (LP: #958430). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + * Drop aesni.patch, applied upstream. + * Drop Bsymbolic-functions.patch, now handled using dpkg-buildflags. + + -- Colin Watson Thu, 22 Mar 2012 17:54:09 +0000 + openssl (1.0.1-2) unstable; urgency=low * Properly quote the new cflags in Configure @@ -120,6 +366,42 @@ -- Kurt Roeckx Tue, 13 Mar 2012 21:08:17 +0100 +openssl (1.0.0g-1ubuntu1) precise; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates + rather than exactly one. + + -- Marc Deslauriers Sat, 11 Feb 2012 13:27:31 -0500 + openssl (1.0.0g-1) unstable; urgency=high * New upstream version @@ -135,6 +417,42 @@ -- Kurt Roeckx Thu, 12 Jan 2012 19:02:43 +0100 +openssl (1.0.0e-3ubuntu1) precise; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates + rather than exactly one. + + -- Marc Deslauriers Thu, 12 Jan 2012 11:30:17 +0100 + openssl (1.0.0e-3) unstable; urgency=low * Don't build v8 and v9 variants of sparc anymore, they're older than @@ -152,6 +470,68 @@ -- Raphael Geissert Sun, 06 Nov 2011 01:39:30 -0600 +openssl (1.0.0e-2ubuntu4) oneiric; urgency=low + + * The previous change moved the notification to major upgrades only, but + in fact, we do want the sysadmin to be notified when security updates + are installed, without having services automatically restarted. + (LP: #244250) + + -- Marc Deslauriers Tue, 04 Oct 2011 09:31:22 -0400 + +openssl (1.0.0e-2ubuntu3) oneiric; urgency=low + + * Only issue a restart required notification on important upgrades, and + not other actions such as reconfiguration or initial installation. + (LP: #244250) + + -- Anders Kaseorg Tue, 04 Oct 2011 13:33:35 +0100 + +openssl (1.0.0e-2ubuntu2) oneiric; urgency=low + + * Unapply patch c_rehash-multi and comment it out in the series as it breaks + parsing of certificates with CRLF line endings and other cases (see + Debian #642314 for discussion), it also changes the semantics of c_rehash + directories by requiring applications to parse hash link targets as files + containing potentially *multiple* certificates rather than exactly one. + LP: #855454. + + -- Loïc Minier Tue, 27 Sep 2011 18:13:07 +0200 + +openssl (1.0.0e-2ubuntu1) oneiric; urgency=low + + * Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and + CVE-2011-3210 (LP: #850608). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification bubble on libssl1.0.0 + upgrade. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i486, i586 (on + i386), v8 (on sparc). + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + * debian/libssl1.0.0.postinst: only display restart notification on + servers (LP: #244250) + + -- Steve Beattie Wed, 14 Sep 2011 22:06:03 -0700 + openssl (1.0.0e-2) unstable; urgency=low * Add a missing $(DEB_HOST_MULTIARCH) @@ -195,6 +575,49 @@ -- Kurt Roeckx Mon, 13 Jun 2011 12:39:54 +0200 +openssl (1.0.0d-2ubuntu2) oneiric; urgency=low + + * Build for multiarch. LP: #826601. + + -- Steve Langasek Mon, 15 Aug 2011 01:58:35 -0700 + +openssl (1.0.0d-2ubuntu1) oneiric; urgency=low + + * Resynchronise with Debian (LP: #675566). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification bubble on libssl1.0.0 + upgrade. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i486, i586 (on + i386), v8 (on sparc). + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + * Update architectures affected by Bsymbolic-functions.patch. + * Drop debian/patches/no-sslv2.patch; Debian now adds the 'no-ssl2' + configure option, which compiles out SSLv2 support entirely, so this is + no longer needed. + * Drop openssl-doc in favour of the libssl-doc package introduced by + Debian. Add Conflicts/Replaces until the next LTS release. + + -- Colin Watson Sun, 01 May 2011 23:51:53 +0100 + openssl (1.0.0d-2) unstable; urgency=high * Make c_rehash also generate the old subject hash. Gnutls applications @@ -245,12 +668,128 @@ -- Kurt Roeckx Sun, 12 Dec 2010 15:37:21 +0100 +openssl (0.9.8o-5ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #718205) + - d/libssl0.9.8.postinst: + + Display a system restart required notification bubble + on libssl0.9.8 upgrade. + + Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade + is being performed. + - d/{libssl0.9.8-udeb.dirs, control, rules}: Create + libssl0.9.8-udeb, for the benefit of wget-udeb (no wget-udeb + package in Debian). + - d/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files, + rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. + - d/{control, openssl-doc.docs, openssl.docs, openssl.dirs}: + + Ship documentation in openssl-doc, suggested by the package. + (Closes: #470594) + - d/p/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed) + - d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions. + - d/p/perlpath-quilt.patch: Don't change perl #! paths under .pc. + - d/p/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS. + The protocol is unsafe and extremely deprecated. (Closes: #589706) + - d/rules: + + Disable SSLv2 during compile. (Closes: #589706) + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + (Closes: #465248) + + Don't build for processors no longer supported: i486, i586 + (on i386), v8 (on sparc). + + Fix Makefile to properly clean up libs/ dirs in clean target. + (Closes: #611667) + + Replace duplicate files in the doc directory with symlinks. + * This upload fixed CVE: (LP: #718208) + - CVE-2011-0014 + + -- Artur Rona Sun, 13 Feb 2011 16:10:24 +0100 + +openssl (0.9.8o-5) unstable; urgency=low + + * Fix OCSP stapling parse error (CVE-2011-0014) + + -- Kurt Roeckx Thu, 10 Feb 2011 20:43:43 +0100 + +openssl (0.9.8o-4ubuntu2) natty; urgency=low + + [ Peter Pearse ] + * Fix Makefile to properly clean up libs/ dirs in clean target + + -- Steve Langasek Mon, 31 Jan 2011 10:47:30 -0800 + +openssl (0.9.8o-4ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #693902) + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Don't build for processors no longer supported: i486, i586 + (on i386), v8 (on sparc). + - Create libssl0.9.8-udeb, for the benefit of wget-udeb (no + wget-udeb package in Debian). + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant. + - Ship documentation in openssl-doc, suggested by the package. + (Closes: #470594) + - Use host compiler when cross-building. Patch from Neil Williams. + (Closes: #465248). + - Don't run 'make test' when cross-building. + - debian/patches/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed) + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths + under .pc. + - debian/patches/no-sslv2.patch: disable SSLv2 to match NSS + and GnuTLS. The protocol is unsafe and extremely deprecated. + (Closes: #589706) + + -- Artur Rona Thu, 23 Dec 2010 20:20:03 +0100 + openssl (0.9.8o-4) unstable; urgency=low * Fix CVE-2010-4180 (Closes: #529221) -- Kurt Roeckx Mon, 06 Dec 2010 20:33:21 +0100 +openssl (0.9.8o-3ubuntu1) natty; urgency=low + + * Merge from debian unstable (LP: #677756). Remaining changes: + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions (refreshed) + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Don't build for processors no longer supported: i486, i586 + (on i386), v8 (on sparc). + - Create libssl0.9.8-udeb, for the benefit of wget-udeb (no + wget-udeb package in Debian) + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant + - Ship documentation in openssl-doc, suggested by the package. + (Debian bug 470594) + - Use host compiler when cross-building (patch from Neil Williams in + Debian bug 465248). + - Don't run 'make test' when cross-building. + - debian/patches/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed) + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths + under .pc. + - debian/patches/no-sslv2.patch: disable SSLv2 to match NSS + and GnuTLS. The protocol is unsafe and extremely deprecated. + (Debian bug 589706) + * Dropped patches, now upstream: + - debian/patches/CVE-2010-2939.patch (Debian patch is identically + named) + + -- Steve Beattie Thu, 18 Nov 2010 12:54:37 -0800 + openssl (0.9.8o-3) unstable; urgency=high * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709) @@ -274,6 +813,72 @@ -- Kurt Roeckx Thu, 26 Aug 2010 18:25:29 +0200 +openssl (0.9.8o-1ubuntu4.1) maverick-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + crafted private key with an invalid prime. + - debian/patches/CVE-2010-2939.patch: set bn_ctx to NULL after freeing + it in ssl/s3_clnt.c. + - CVE-2010-2939 + + -- Marc Deslauriers Wed, 06 Oct 2010 16:46:36 -0400 + +openssl (0.9.8o-1ubuntu4) maverick; urgency=low + + * Update AES-NI patch to openssl-0.9.8-aesni-modes-perlasm-win32-v4.patch + from http://rt.openssl.org/Ticket/Display.html?id=2067, fixing segfault + on engine initialisation (LP: #590639). + + -- Colin Watson Fri, 24 Sep 2010 12:20:49 +0100 + +openssl (0.9.8o-1ubuntu3) maverick; urgency=low + + * debian/patches/no-sslv2.patch: disable SSLv2 to match NSS and GnuTLS. + The protocol is unsafe and extremely deprecated. (Debian bug 589706) + + -- Kees Cook Tue, 20 Jul 2010 08:24:13 -0700 + +openssl (0.9.8o-1ubuntu2) maverick; urgency=low + + * Don't build anymore for processors not supported anymore in maverick: + - i486, i586 (on i386). + - v8 (on sparc). + + -- Matthias Klose Mon, 19 Jul 2010 16:44:10 +0200 + +openssl (0.9.8o-1ubuntu1) maverick; urgency=low + + * Merge from debian unstable, remaining changes (LP: #581167): + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant + - Use host compiler when cross-building (patch from Neil Williams in + Debian #465248). + - Don't run 'make test' when cross-building. + - Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339). + - debian/patches/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518). + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths + under .pc. + * Dropped patches, now upstream: + - debian/patches/CVE-2009-3245.patch + - debian/patches/CVE-2010-0740.patch + - debian/patches/dtls-compatibility.patch + - debian/patches/CVE-2009-4355.patch + * Dropped "Add support for lpia". + * Dropped "Disable SSLv2 during compile" as this had never actually + disabled SSLv2. + * Don't disable CVE-2009-3555.patch for Maverick. + + -- Marc Deslauriers Mon, 14 Jun 2010 09:08:29 -0400 + openssl (0.9.8o-1) unstable; urgency=low * New upstream version @@ -326,6 +931,87 @@ -- Kurt Roeckx Wed, 13 Jan 2010 21:26:49 +0100 +openssl (0.9.8k-7ubuntu8) lucid; urgency=low + + * SECURITY UPDATE: denial of service and possible arbitrary code + execution via unchecked return values + - debian/patches/CVE-2009-3245.patch: check bn_wexpand return value in + crypto/bn/{bn_div.c,bn_gf2m.c,bn_mul.c}, crypto/ec/ec2_smpl.c, + engines/e_ubsec.c. + - CVE-2009-3245 + * SECURITY UPDATE: denial of service via "record of death" + - debian/patches/CVE-2010-0740.patch: only send back minor version + number in ssl/s3_pkt.c. + - CVE-2010-0740 + + -- Marc Deslauriers Tue, 30 Mar 2010 08:57:51 -0400 + +openssl (0.9.8k-7ubuntu7) lucid; urgency=low + + * debian/patches/dtls-compatibility.patch: backport dtls compatibility + code from 0.9.8m to fix interopability. (LP: #516318) + + -- Marc Deslauriers Fri, 26 Mar 2010 08:31:09 -0400 + +openssl (0.9.8k-7ubuntu6) lucid; urgency=low + + * Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518). + * Don't change perl #! paths under .pc. + + -- Colin Watson Mon, 01 Feb 2010 15:40:27 -0800 + +openssl (0.9.8k-7ubuntu5) lucid; urgency=low + + * SECURITY UPDATE: memory leak possible during state clean-up. + - Add CVE-2009-4355.patch, upstream fixes thanks to Debian. + + -- Kees Cook Fri, 22 Jan 2010 09:50:01 -0800 + +openssl (0.9.8k-7ubuntu4) lucid; urgency=low + + * Use host compiler when cross-building (patch from Neil Williams in + Debian #465248). + * Don't run 'make test' when cross-building. + * Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339). + + -- Colin Watson Tue, 05 Jan 2010 16:09:38 +0000 + +openssl (0.9.8k-7ubuntu3) lucid; urgency=low + + * debian/patches/disable-sslv2.patch: remove and apply inline to fix + FTBFS when patch won't revert during the build process. + + -- Marc Deslauriers Mon, 07 Dec 2009 21:00:47 -0500 + +openssl (0.9.8k-7ubuntu2) lucid; urgency=low + + * debian/patches/{disable-sslv2,Bsymbolic-functions}.patch: apply + Makefile sections inline as once the package is configured during the + build process, the patches wouldn't revert anymore, causing a FTBFS on + anything other than amd64. + + -- Marc Deslauriers Mon, 07 Dec 2009 19:52:15 -0500 + +openssl (0.9.8k-7ubuntu1) lucid; urgency=low + + * Merge from debian unstable, remaining changes (LP: #493392): + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant + * Strip the patches out of the source into quilt patches + * Disable CVE-2009-3555.patch + + -- Nicolas Valcárcel Scerpella (Canonical) Sun, 06 Dec 2009 20:16:24 -0500 + openssl (0.9.8k-7) unstable; urgency=low * Bump the shlibs to require 0.9.8k-1. The following symbols @@ -403,6 +1089,70 @@ -- Kurt Roeckx Sat, 16 May 2009 17:33:55 +0200 +openssl (0.9.8g-16ubuntu3) karmic; urgency=low + + * SECURITY UPDATE: certificate spoofing via hash collisions from MD2 + design flaws. + - crypto/evp/c_alld.c, ssl/ssl_algs.c: disable MD2 digest. + - crypto/x509/x509_vfy.c: skip signature check for self signed + certificates + - http://marc.info/?l=openssl-cvs&m=124508133203041&w=2 + - http://marc.info/?l=openssl-cvs&m=124704528713852&w=2 + - CVE-2009-2409 + + -- Marc Deslauriers Tue, 08 Sep 2009 14:59:05 -0400 + +openssl (0.9.8g-16ubuntu2) karmic; urgency=low + + * Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by + Marc Deslauriers) + * SECURITY UPDATE: denial of service via memory consumption from large + number of future epoch DTLS records. + - crypto/pqueue.*: add new pqueue_size counter function. + - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100. + - http://cvs.openssl.org/chngview?cn=18187 + - CVE-2009-1377 + * SECURITY UPDATE: denial of service via memory consumption from + duplicate or invalid sequence numbers in DTLS records. + - ssl/d1_both.c: discard message if it's a duplicate or too far in the + future. + - http://marc.info/?l=openssl-dev&m=124263491424212&w=2 + - CVE-2009-1378 + * SECURITY UPDATE: denial of service or other impact via use-after-free + in dtls1_retrieve_buffered_fragment. + - ssl/d1_both.c: use temp frag_len instead of freed frag. + - http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest + - CVE-2009-1379 + * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet + that occurs before ClientHello. + - ssl/s3_pkt.c: abort if s->session is NULL. + - ssl/{ssl.h,ssl_err.c}: add new error codes. + - http://cvs.openssl.org/chngview?cn=17369 + - CVE-2009-1386 + * SECURITY UPDATE: denial of service via an out-of-sequence DTLS + handshake message. + - ssl/d1_both.c: don't buffer fragments with no data. + - http://cvs.openssl.org/chngview?cn=17958 + - CVE-2009-1387 + + -- Jamie Strandboge Fri, 10 Jul 2009 14:44:47 -0500 + +openssl (0.9.8g-16ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + + -- Jamie Strandboge Thu, 14 May 2009 14:11:05 -0500 + openssl (0.9.8g-16) unstable; urgency=high * Properly validate the length of an encoded BMPString and UniversalString @@ -410,6 +1160,45 @@ -- Kurt Roeckx Wed, 01 Apr 2009 22:04:53 +0200 +openssl (0.9.8g-15ubuntu3) jaunty; urgency=low + + * SECURITY UPDATE: crash via invalid memory access when printing BMPString + or UniversalString with invalid length + - crypto/asn1/tasn_dec.c, crypto/asn1/asn1_err.c and crypto/asn1/asn1.h: + return error if invalid length + - CVE-2009-0590 + - http://www.openssl.org/news/secadv_20090325.txt + - patch from upstream CVS: + crypto/asn1/asn1.h:1.128.2.11->1.128.2.12 + crypto/asn1/asn1_err.c:1.54.2.4->1.54.2.5 + crypto/asn1/tasn_dec.c:1.26.2.10->1.26.2.11 + + -- Jamie Strandboge Fri, 27 Mar 2009 08:23:35 -0500 + +openssl (0.9.8g-15ubuntu2) jaunty; urgency=low + + * Move runtime libraries to /lib, for the benefit of wpasupplicant + (LP: #44194). Leave symlinks behind in /usr/lib (except on the Hurd) + since we used to set an rpath there. + + -- Colin Watson Fri, 06 Mar 2009 12:48:52 +0000 + +openssl (0.9.8g-15ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: LP: #314984 + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + + -- Bhavani Shankar Thu, 08 Jan 2009 12:38:06 +0530 + openssl (0.9.8g-15) unstable; urgency=low * Internal calls to didn't properly check for errors which @@ -420,6 +1209,34 @@ -- Kurt Roeckx Mon, 05 Jan 2009 21:14:31 +0100 +openssl (0.9.8g-14ubuntu2) jaunty; urgency=low + + * SECURITY UPDATE: clients treat malformed signatures as good when verifying + server DSA and ECDSA certificates + - update apps/speed.c, apps/spkac.c, apps/verify.c, apps/x509.c, + ssl/s2_clnt.c, ssl/s2_srvr.c, ssl/s3_clnt.c, s3_srvr.c, and + ssl/ssltest.c to properly check the return code of EVP_VerifyFinal() + - patch based on upstream patch for #2008-016 + - CVE-2008-5077 + + -- Jamie Strandboge Tue, 06 Jan 2009 00:44:19 -0600 + +openssl (0.9.8g-14ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + + -- Scott James Remnant Tue, 11 Nov 2008 17:24:44 +0000 + openssl (0.9.8g-14) unstable; urgency=low * Don't give the warning about security updates when upgrading @@ -464,6 +1281,29 @@ -- Christoph Martin Thu, 17 Jul 2008 09:53:01 +0200 +openssl (0.9.8g-10.1ubuntu2) intrepid; urgency=low + + * debian/rules: + - disable SSLv2 during compile + * debian/README.debian + - add note about disabled SSLv2 in Ubuntu + + -- Ante Karamatic Thu, 24 Jul 2008 12:47:09 +0200 + +openssl (0.9.8g-10.1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. + - display a system restart required notification bubble on libssl0.9.8 upgrade. + - ship documentation in new openssl-doc package. + - configure: add support for lpia. + - replace duplicate files in the doc directory with symlinks. + - link using -bsymbolic-functions. + - update maintainer as per spec. + + -- Luke Yelavich Tue, 10 Jun 2008 11:50:07 +1000 + openssl (0.9.8g-10.1) unstable; urgency=high * Non-maintainer upload by the Security team. @@ -477,6 +1317,20 @@ -- Nico Golde Tue, 27 May 2008 11:13:44 +0200 +openssl (0.9.8g-10ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - Use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. + - Display a system restart required notification bubble on libssl0.9.8 upgrade. + - Ship documentation in new openssl-doc package. + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + - Link using -Bsymbolic-functions. + - Update maintainer as per spec. + + -- Luke Yelavich Mon, 12 May 2008 22:49:33 +1000 + openssl (0.9.8g-10) unstable; urgency=low * undefine HZ so that the code falls back to sysconf(_SC_CLK_TCK) @@ -495,6 +1349,20 @@ -- Kurt Roeckx Wed, 07 May 2008 20:32:12 +0200 +openssl (0.9.8g-8ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - Use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. + - Display a system restart required notification bubble on libssl0.9.8 upgrade. + - Ship documentation in new openssl-doc package. + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + - Link using -Bsymbolic-functions. + - Update maintainer as per spec. + + -- Luke Yelavich Mon, 12 May 2008 10:09:20 +1000 + openssl (0.9.8g-8) unstable; urgency=high * Don't add extensions to ssl v3 connections. It breaks with some @@ -521,6 +1389,30 @@ -- Kurt Roeckx Sat, 09 Feb 2008 13:32:49 +0100 +openssl (0.9.8g-4ubuntu3) hardy; urgency=low + + * Use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. (LP: #91814) + * Display a system restart required notification bubble on libssl0.9.8 upgrade. + + -- Luke Yelavich Tue, 22 Apr 2008 10:50:53 +1000 + +openssl (0.9.8g-4ubuntu2) hardy; urgency=low + + * Ship documentation in new openssl-doc package, since it is very large and + not terribly useful for the casual desktop user. + + -- Martin Pitt Tue, 11 Mar 2008 22:52:28 +0100 + +openssl (0.9.8g-4ubuntu1) hardy; urgency=low + + * Merge from unstable; remaining changes: + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + - Link using -Bsymbolic-functions. + + -- Matthias Klose Tue, 29 Jan 2008 14:32:12 +0100 + openssl (0.9.8g-4) unstable; urgency=low * Fix aes ige test speed not to overwrite it's buffer and @@ -535,6 +1427,14 @@ -- Kurt Roeckx Wed, 16 Jan 2008 21:49:43 +0100 +openssl (0.9.8g-3ubuntu1) hardy; urgency=low + + * Merge with Debian; remaining changes: + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + + -- Matthias Klose Wed, 05 Dec 2007 00:13:39 +0100 + openssl (0.9.8g-3) unstable; urgency=low * aes-586.pl: push %ebx on the stack before we put some things on the @@ -622,6 +1522,41 @@ -- Kurt Roeckx Wed, 15 Aug 2007 19:49:54 +0200 +openssl (0.9.8e-5ubuntu3) gutsy; urgency=low + + * Replace duplicate files in the doc directory with symlinks. + + -- Matthias Klose Thu, 04 Oct 2007 16:27:53 +0000 + +openssl (0.9.8e-5ubuntu2) gutsy; urgency=low + + [ Jamie Strandboge ] + * SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in + buffer overflow + * ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to + Stephan Hermann + * References: + CVE-2007-5135 + http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded + Fixes LP: #146269 + * Modify Maintainer value to match the DebianMaintainerField + specification. + + [ Kees Cook ] + * SECURITY UPDATE: side-channel attacks via BN_from_montgomery function. + * crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian. + * References + CVE-2007-3108 + + -- Kees Cook Fri, 28 Sep 2007 13:02:19 -0700 + +openssl (0.9.8e-5ubuntu1) gutsy; urgency=low + + * Configure: Add support for lpia. + * Explicitely build using gcc-4.1 (PR other/31359). + + -- Matthias Klose Tue, 31 Jul 2007 12:47:38 +0000 + openssl (0.9.8e-5) unstable; urgency=low [ Christian Perrier ] diff -Nru openssl-1.0.1c/debian/control openssl-1.0.1c/debian/control --- openssl-1.0.1c/debian/control 2012-07-29 05:33:20.000000000 -0700 +++ openssl-1.0.1c/debian/control 2012-11-09 11:05:20.000000000 -0800 @@ -2,11 +2,12 @@ Build-Depends: debhelper (>= 8.1.3), zlib1g-dev, m4, bc, dpkg-dev (>= 1.15.7) Section: utils Priority: optional -Maintainer: Debian OpenSSL Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian OpenSSL Team Uploaders: Christoph Martin , Kurt Roeckx Standards-Version: 3.8.0 -Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl -Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl/ +XS-Debian-Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl +XS-Debian-Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl/ Package: openssl Priority: optional @@ -50,6 +51,17 @@ . Do not install it on a normal system. +Package: libssl1.0.0-udeb +XC-Package-Type: udeb +Section: debian-installer +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: ssl shared library - udeb + libssl shared library. + . + Do not install it on a normal system. + Package: libssl-dev Section: libdevel Priority: optional diff -Nru openssl-1.0.1c/debian/libcrypto1.0.0-udeb.dirs openssl-1.0.1c/debian/libcrypto1.0.0-udeb.dirs --- openssl-1.0.1c/debian/libcrypto1.0.0-udeb.dirs 2010-12-12 06:35:56.000000000 -0800 +++ openssl-1.0.1c/debian/libcrypto1.0.0-udeb.dirs 2012-11-08 17:27:18.000000000 -0800 @@ -1 +1 @@ -usr/lib +lib diff -Nru openssl-1.0.1c/debian/libssl1.0.0-udeb.dirs openssl-1.0.1c/debian/libssl1.0.0-udeb.dirs --- openssl-1.0.1c/debian/libssl1.0.0-udeb.dirs 1969-12-31 16:00:00.000000000 -0800 +++ openssl-1.0.1c/debian/libssl1.0.0-udeb.dirs 2012-11-08 17:27:18.000000000 -0800 @@ -0,0 +1 @@ +lib diff -Nru openssl-1.0.1c/debian/libssl1.0.0.files openssl-1.0.1c/debian/libssl1.0.0.files --- openssl-1.0.1c/debian/libssl1.0.0.files 2011-09-10 04:16:17.000000000 -0700 +++ openssl-1.0.1c/debian/libssl1.0.0.files 2012-11-08 17:27:18.000000000 -0800 @@ -1,4 +1,5 @@ +lib/*/*.so.*.*.* +lib/*/*/*.so.*.*.* +lib/*/i686/cmov/*.so.*.*.* usr/lib/*/*.so.*.*.* -usr/lib/*/*/*.so.*.*.* -usr/lib/*/i686/cmov/*.so.*.*.* usr/lib/*/openssl-1.0.0/engines diff -Nru openssl-1.0.1c/debian/libssl1.0.0.postinst openssl-1.0.1c/debian/libssl1.0.0.postinst --- openssl-1.0.1c/debian/libssl1.0.0.postinst 2012-07-17 02:48:50.000000000 -0700 +++ openssl-1.0.1c/debian/libssl1.0.0.postinst 2012-11-08 17:27:18.000000000 -0800 @@ -57,6 +57,8 @@ if [ "$1" = "configure" ] then if [ ! -z "$2" ]; then + # This triggers services restarting, so limit this to major upgrades + # only. Security updates should not restart services automatically. if dpkg --compare-versions "$2" lt 0.9.8g-9 && dpkg --compare-versions "$2" gt 0.9.8c-4etch3; then db_version 2.0 @@ -117,7 +119,11 @@ if [ -n "$services" ]; then db_reset libssl1.0.0/restart-services db_set libssl1.0.0/restart-services "$services" - db_input critical libssl1.0.0/restart-services || true + if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then + db_input medium libssl1.0.0/restart-services || true + else + db_input critical libssl1.0.0/restart-services || true + fi db_go || true db_get libssl1.0.0/restart-services @@ -162,7 +168,20 @@ # Shut down the frontend, to make sure none of the # restarted services keep a connection open to it db_stop + fi # end upgrading and $2 lt 0.9.8c-2 + + # Here we issue the reboot notification for upgrades and + # security updates. We do want services to be restarted when we + # update for a security issue, but planned by the sysadmin, not + # automatically. + + # Only issue the reboot notification for servers; we proxy this by + # testing that the X server is not running (LP: #244250) + if ! pidof /usr/bin/X > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then + /usr/share/update-notifier/notify-reboot-required + fi + fi # Upgrading fi diff -Nru openssl-1.0.1c/debian/patches/perlpath-quilt.patch openssl-1.0.1c/debian/patches/perlpath-quilt.patch --- openssl-1.0.1c/debian/patches/perlpath-quilt.patch 1969-12-31 16:00:00.000000000 -0800 +++ openssl-1.0.1c/debian/patches/perlpath-quilt.patch 2012-11-08 17:27:18.000000000 -0800 @@ -0,0 +1,14 @@ +diff -Nur openssl-0.9.8o/util/perlpath.pl openssl-0.9.8o.new/util/perlpath.pl +--- openssl-0.9.8o/util/perlpath.pl 2010-06-14 10:17:46.000000000 -0400 ++++ openssl-0.9.8o.new/util/perlpath.pl 2010-06-14 10:18:04.000000000 -0400 +@@ -11,6 +11,10 @@ + + sub wanted + { ++ if (/^\.pc/) { ++ $prune = 1; ++ return; ++ } + return unless /\.pl$/ || /^[Cc]onfigur/; + + open(IN,"<$_") || die "unable to open $dir/$_:$!\n"; diff -Nru openssl-1.0.1c/debian/patches/series openssl-1.0.1c/debian/patches/series --- openssl-1.0.1c/debian/patches/series 2012-06-06 09:30:13.000000000 -0700 +++ openssl-1.0.1c/debian/patches/series 2012-11-08 17:27:18.000000000 -0800 @@ -28,7 +28,9 @@ dgst_hmac.patch block_diginotar.patch block_digicert_malaysia.patch -c_rehash-multi.patch +#c_rehash-multi.patch renegiotate_tls.patch #padlock_conf.patch default_bits.patch +perlpath-quilt.patch +tls12_workarounds.patch diff -Nru openssl-1.0.1c/debian/patches/tls12_workarounds.patch openssl-1.0.1c/debian/patches/tls12_workarounds.patch --- openssl-1.0.1c/debian/patches/tls12_workarounds.patch 1969-12-31 16:00:00.000000000 -0800 +++ openssl-1.0.1c/debian/patches/tls12_workarounds.patch 2012-11-08 17:27:18.000000000 -0800 @@ -0,0 +1,44 @@ +Description: Work around TLS 1.2 failures for some broken servers that + "hang" if a client hello record length exceeds 255 bytes. + . + 1. Set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. This will truncate + the number of ciphers sent in the client hello. + 2. Set OPENSSL_NO_TLS1_2_CLIENT to disable TLS 1.2 client support + entirely. + + Also, check TLS_get_client_version() rather than TLS1_get_versions() to avoid + improper truncation of client hello cipher lists. This change has been + forwarded upstream in rt #2881. +Bug-Ubuntu: https://bugs.launchpad.net/bugs/965371 +Bug-Debian: http://bugs.debian.org/665452 +Bug: http://rt.openssl.org/Ticket/Display.html?id=2771 +Bug: http://rt.openssl.org/Ticket/Display.html?id=2881 +Forwarded: not-needed +Last-Update: 2012-10-04 + +Index: openssl-1.0.1c/Configure +=================================================================== +--- openssl-1.0.1c.orig/Configure 2012-10-03 23:59:05.235548667 -0700 ++++ openssl-1.0.1c/Configure 2012-10-04 10:34:23.076454592 -0700 +@@ -106,7 +106,7 @@ + my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; + + # There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS +-my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall"; ++my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50"; + $debian_cflags =~ s/\n/ /g; + + my $strict_warnings = 0; +Index: openssl-1.0.1c/ssl/s23_clnt.c +=================================================================== +--- openssl-1.0.1c.orig/ssl/s23_clnt.c 2012-10-03 23:46:22.967530550 -0700 ++++ openssl-1.0.1c/ssl/s23_clnt.c 2012-10-04 10:33:13.820452946 -0700 +@@ -491,7 +491,7 @@ + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ +- if (TLS1_get_version(s) >= TLS1_2_VERSION ++ if (TLS1_get_client_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; + #endif diff -Nru openssl-1.0.1c/debian/rules openssl-1.0.1c/debian/rules --- openssl-1.0.1c/debian/rules 2012-07-17 02:49:15.000000000 -0700 +++ openssl-1.0.1c/debian/rules 2012-11-08 17:27:18.000000000 -0800 @@ -17,11 +17,22 @@ # The binary architeture DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH) +DEB_HOST_ARCH_OS = $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) + DEB_HOST_MULTIARCH=$(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +DEB_HOST_GNU_TYPE=$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE=$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) +CROSS=CC=$(DEB_HOST_GNU_TYPE)-gcc +MAKE_TEST=: +else +CROSS=CC=$(CC) +MAKE_TEST=make test +endif + CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 OPT_alpha = ev4 ev5 -OPT_i386 = i586 i686/cmov ARCHOPTS = OPT_$(DEB_HOST_ARCH) OPTS = $($(ARCHOPTS)) WANTED_LIBC_VERSION = 2.3.1-10 @@ -34,8 +45,8 @@ # perl util/ssldir.pl /usr/lib/ssl # chmod +x debian/libtool ./Configure no-shared $(CONFARGS) debian-$(DEB_HOST_ARCH) - make -f Makefile all - make test + make $(CROSS) -f Makefile all + $(MAKE_TEST) mv libcrypto.a libcrypto.static mv libssl.a libssl.static make -f Makefile clean @@ -43,22 +54,22 @@ do \ set -xe; \ ./Configure shared $(CONFARGS) debian-$(DEB_HOST_ARCH)-$$opt; \ - make -f Makefile all; \ - make test; \ + make $(CROSS) -f Makefile all; \ + $(MAKE_TEST); \ mkdir -p $$opt; \ mv libcrypto.so* libssl.so* $$opt/; \ make -f Makefile clean; \ done ./Configure shared $(CONFARGS) debian-$(DEB_HOST_ARCH) - #make -f Makefile depend + #make $(CROSS) -f Makefile depend ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ -# make -f Makefile linux-shared - make -f Makefile all - make test +# make $(CROSS) -f Makefile linux-shared + make $(CROSS) -f Makefile all + $(MAKE_TEST) # strip apps/openssl # make -f Makefile clean # ./Configure --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 debian-$(DEB_HOST_ARCH) -# make -f Makefile all +# make $(CROSS) -f Makefile all touch build-stamp clean: @@ -66,6 +77,7 @@ dh_testroot -rm -f build-stamp -./Configure $(CONFARGS) debian-$(DEB_HOST_ARCH) + -sed -i -e 's/rm -f/rm -rf/' Makefile [ ! -f Makefile ] || make -f Makefile clean clean-shared #-make -f Makefile dclean # perl util/ssldir.pl /usr/local/ssl @@ -88,7 +100,7 @@ dh_testroot dh_clean dh_installdirs - make -f Makefile install INSTALL_PREFIX=`pwd`/debian/tmp + make -f Makefile $(CROSS) install INSTALL_PREFIX=`pwd`/debian/tmp binary-indep: build install dh_testdir @@ -114,12 +126,17 @@ # mv debian/tmp/usr/lib/libssl.a debian/tmp/usr/lib/libssl_pic.a cp -pf libcrypto.static debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.a cp -pf libssl.static debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.a + # move runtime libraries to /lib + install -d debian/tmp/lib/$(DEB_HOST_MULTIARCH) + mv debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/lib*.so.* debian/tmp/lib/$(DEB_HOST_MULTIARCH) + ln -sf /lib/$(DEB_HOST_MULTIARCH)/$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so + ln -sf /lib/$(DEB_HOST_MULTIARCH)/$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.so) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.so mkdir -p debian/tmp/etc/ssl mv debian/tmp/usr/lib/ssl/{certs,openssl.cnf,private} debian/tmp/etc/ssl/ ln -s /etc/ssl/{certs,openssl.cnf,private} debian/tmp/usr/lib/ssl/ - cp -pf debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto1.0.0-udeb/usr/lib/ - cp -auv lib*.so* debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ - for opt in $(OPTS); do set -xe; mkdir -p debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/$$opt; cp -auv $$opt/lib*.so* debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/$$opt/; done + cp -pf debian/tmp/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto1.0.0-udeb/lib/ + cp -pf debian/tmp/lib/$(DEB_HOST_MULTIARCH)/libssl.so.* debian/libssl1.0.0-udeb/lib/ + for opt in $(OPTS); do set -xe; mkdir -p debian/tmp/lib/$(DEB_HOST_MULTIARCH)/$$opt; cp -auv $$opt/lib*.so* debian/tmp/lib/$(DEB_HOST_MULTIARCH)/$$opt/; done install debian/copyright debian/libssl1.0.0/usr/share/doc/libssl1.0.0/ install debian/changelog debian/libssl1.0.0/usr/share/doc/libssl1.0.0/changelog.Debian install debian/copyright debian/libssl-dev/usr/share/doc/libssl-dev/ @@ -132,13 +149,20 @@ dh_installdebconf -a dh_movefiles -a dh_compress -a +# symlink doc files + for p in openssl libssl-dev; do \ + for f in changelog.Debian.gz changelog.gz copyright; do \ + ln -sf ../libssl1.0.0/$$f debian/$$p/usr/share/doc/$$p/$$f; \ + done; \ + done chmod 700 debian/openssl/etc/ssl/private dh_fixperms -a -X etc/ssl/private dh_strip -a --dbg-package=libssl1.0.0 dh_perl -a -d dpkg-gensymbols -Pdebian/libssl1.0.0/ -plibssl1.0.0 -c4 - dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.0)" --add-udeb="libcrypto1.0.0-udeb" - dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/usr/lib/$(DEB_HOST_MULTIARCH) + dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.1)" --add-udeb="libcrypto1.0.0-udeb" + sed -i '/^udeb: libssl/s/libcrypto1.0.0-udeb/libssl1.0.0-udeb/' debian/libssl1.0.0/DEBIAN/shlibs + dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/lib/$(DEB_HOST_MULTIARCH) dh_gencontrol -a dh_installdeb -a dh_md5sums -a