Please merge openssl 1.0.0e-2 from debian
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
openssl 1.0.0e-2 fixes CVE-2011-1945, CVE-2011-3207 and CVE-2011-3210, as well as includes blacklisting of DigiNotar certificates (to catch some compromised subsidiary DigiNotar certificates that were cross-signed by other CAs; thus the removal of the DigiNotar CA certificate from ca-certificates won't block their usage).
The debian changes since 1.0.0d-2 are all bugfixes:
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_
-- Kurt Roeckx <email address hidden> Sat, 10 Sep 2011 17:02:29 +0200
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <email address hidden>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <email address hidden>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <email address hidden>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <email address hidden>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
-- Kurt Roeckx <email address hidden> Sat, 10 Sep 2011 12:03:13 +0200
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
* Apply patches from Scott Schaefer <email address hidden> to
fix various pod and spelling errors. (Closes: #622820, #605561)
* Add missing symbols for the engines (Closes: #623038)
* More spelling fixes from Scott Schaefer (Closes: #395424)
* Patch from Scott Schaefer to better document pkcs12 password options
(Closes: #462489)
* Document dgst -hmac option. Patch by Thorsten Glaser <email address hidden>
(Closes: #529586)
-- Kurt Roeckx <email address hidden> Mon, 13 Jun 2011 12:39:54 +0200
and the upstream release 1.0.0e is a bugfix-only release as well:
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+ *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+ by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ [Kaspar Brand <email address hidden>]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH. (CVE-2011-3210)
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+ signature public key algorithm by using OID xref utilities instead.
+ Before this you could only use some ECC ciphersuites with SHA1 only.
+ [Steve Henson]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
Related branches
- Marc Deslauriers: Approve
- Ubuntu branches: Pending requested
-
Diff: 27465 lines (+20613/-1941)206 files modified.pc/Bsymbolic-functions.patch/Configure (+2/-1)
.pc/aesni.patch/Configure (+2/-1)
.pc/aesni.patch/util/libeay.num (+5/-0)
.pc/applied-patches (+12/-0)
.pc/block_diginotar.patch/crypto/x509/x509_vfy.c (+2219/-0)
.pc/c_rehash-multi.patch/tools/c_rehash.in (+192/-0)
.pc/config-hurd.patch/config (+4/-0)
.pc/dgst_hmac.patch/apps/dgst.c (+632/-0)
.pc/dgst_hmac.patch/doc/apps/dgst.pod (+162/-0)
.pc/engines-path.patch/Configure (+2/-1)
.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c (+1/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod (+265/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod (+115/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod (+67/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod (+511/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod (+61/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod (+303/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod (+476/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_client_CA_list.pod (+94/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_verify.pod (+294/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+102/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_accept.pod (+76/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_connect.pod (+73/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_do_handshake.pod (+75/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_shutdown.pod (+125/-0)
.pc/libssl-misspell.patch/crypto/asn1/asn1_err.c (+329/-0)
.pc/openssl-pod-misspell.patch/apps/ca.c (+2985/-0)
.pc/openssl-pod-misspell.patch/apps/ecparam.c (+731/-0)
.pc/openssl-pod-misspell.patch/crypto/evp/encode.c (+445/-0)
.pc/openssl-pod-misspell.patch/doc/apps/config.pod (+279/-0)
.pc/openssl-pod-misspell.patch/doc/apps/genpkey.pod (+213/-0)
.pc/openssl-pod-misspell.patch/doc/apps/openssl.pod (+422/-0)
.pc/openssl-pod-misspell.patch/doc/apps/req.pod (+678/-0)
.pc/openssl-pod-misspell.patch/doc/apps/ts.pod (+594/-0)
.pc/openssl-pod-misspell.patch/doc/apps/tsget.pod (+194/-0)
.pc/openssl-pod-misspell.patch/doc/apps/x509v3_config.pod (+529/-0)
.pc/pic.patch/crypto/perlasm/cbc.pl (+0/-2)
.pc/pkcs12-doc.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_ec.misspell.patch/doc/apps/ec.pod (+190/-0)
.pc/pod_pksc12.misspell.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_req_misspell2.patch/doc/apps/req.pod (+678/-0)
.pc/pod_s_server.misspell.patch/doc/apps/s_server.pod (+355/-0)
.pc/pod_x509setflags.misspell.patch/doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+171/-0)
.pc/shared-lib-ext.patch/Configure (+2/-1)
.pc/version-script.patch/Configure (+2/-1)
CHANGES (+42/-1)
Configure (+2/-1)
FAQ (+1/-1)
INSTALL.VMS (+24/-30)
Makefile (+1/-1)
Makefile.bak (+640/-0)
NEWS (+8/-0)
README (+1/-1)
VMS/install-vms.com (+67/-0)
VMS/install.com (+0/-79)
VMS/mkshared.com (+163/-99)
VMS/openssl_startup.com (+108/-0)
VMS/openssl_undo.com (+20/-0)
apps/CA.com (+58/-42)
apps/apps.c (+6/-0)
apps/asn1pars.c (+1/-0)
apps/ca.c (+1/-1)
apps/dgst.c (+2/-0)
apps/ecparam.c (+2/-2)
apps/enc.c (+4/-0)
apps/install-apps.com (+107/-0)
apps/install.com (+0/-65)
apps/makeapps.com (+231/-118)
apps/openssl.c (+62/-2)
apps/pkcs12.c (+1/-1)
apps/speed.c (+2/-0)
apps/vms_decc_init.c (+188/-0)
config (+4/-0)
crypto/LPdir_vms.c (+28/-21)
crypto/alphacpuid.pl (+3/-5)
crypto/asn1/a_object.c (+2/-2)
crypto/asn1/asn1_err.c (+1/-1)
crypto/asn1/bio_ndef.c (+0/-3)
crypto/asn1/x_name.c (+5/-2)
crypto/bio/b_sock.c (+28/-1)
crypto/bio/bss_dgram.c (+12/-6)
crypto/bio/bss_log.c (+29/-3)
crypto/bn/asm/alpha-mont.pl (+1/-1)
crypto/bn/asm/s390x-mont.pl (+2/-2)
crypto/bn/bn.h (+18/-0)
crypto/bn/bn_gf2m.c (+1/-0)
crypto/bn/bn_mont.c (+1/-1)
crypto/bn/bn_nist.c (+36/-28)
crypto/conf/conf_api.c (+1/-0)
crypto/cryptlib.c (+0/-1)
crypto/crypto-lib.com (+241/-129)
crypto/dsa/dsa_pmeth.c (+1/-0)
crypto/dso/dso_dlfcn.c (+1/-0)
crypto/dso/dso_vms.c (+103/-82)
crypto/ecdsa/ecdsatest.c (+2/-3)
crypto/ecdsa/ecs_ossl.c (+8/-0)
crypto/evp/encode.c (+1/-1)
crypto/evp/evp_test.c (+1/-0)
crypto/hmac/hm_pmeth.c (+2/-0)
crypto/install-crypto.com (+196/-0)
crypto/install.com (+0/-150)
crypto/o_time.c (+14/-8)
crypto/ocsp/ocsp_lib.c (+4/-4)
crypto/opensslv.h (+3/-3)
crypto/perlasm/cbc.pl (+0/-2)
crypto/rand/rand_vms.c (+14/-2)
crypto/rand/randfile.c (+2/-0)
crypto/rsa/rsa_oaep.c (+13/-7)
crypto/stack/safestack.h (+25/-25)
crypto/vms_rms.h (+51/-0)
crypto/x509/x509_vfy.c (+31/-0)
debian/changelog (+77/-0)
debian/libssl1.0.0.postinst (+5/-1)
debian/patches/Bsymbolic-functions.patch (+7/-3)
debian/patches/aesni.patch (+29/-14)
debian/patches/block_diginotar.patch (+64/-0)
debian/patches/c_rehash-multi.patch (+86/-0)
debian/patches/debian-targets.patch (+3/-2)
debian/patches/dgst_hmac.patch (+51/-0)
debian/patches/libdoc-manpgs-pod-spell.patch (+236/-0)
debian/patches/libssl-misspell.patch (+11/-0)
debian/patches/openssl-pod-misspell.patch (+137/-0)
debian/patches/pkcs12-doc.patch (+36/-0)
debian/patches/pod_ec.misspell.patch (+11/-0)
debian/patches/pod_pksc12.misspell.patch (+11/-0)
debian/patches/pod_req_misspell2.patch (+12/-0)
debian/patches/pod_s_server.misspell.patch (+11/-0)
debian/patches/pod_x509setflags.misspell.patch (+11/-0)
debian/patches/rehash_pod.patch (+2/-2)
debian/patches/series (+12/-0)
debian/patches/version-script.patch (+22/-4)
debian/rules (+3/-1)
doc/apps/c_rehash.pod (+2/-2)
doc/apps/config.pod (+1/-1)
doc/apps/dgst.pod (+10/-0)
doc/apps/ec.pod (+1/-1)
doc/apps/genpkey.pod (+2/-0)
doc/apps/openssl.pod (+2/-2)
doc/apps/pkcs12.pod (+7/-2)
doc/apps/req.pod (+2/-2)
doc/apps/s_server.pod (+1/-1)
doc/apps/ts.pod (+2/-2)
doc/apps/tsget.pod (+1/-1)
doc/apps/x509v3_config.pod (+1/-1)
doc/crypto/ASN1_generate_nconf.pod (+1/-1)
doc/crypto/BN_BLINDING_new.pod (+1/-1)
doc/crypto/EVP_BytesToKey.pod (+1/-1)
doc/crypto/EVP_EncryptInit.pod (+1/-1)
doc/crypto/EVP_PKEY_cmp.pod (+1/-1)
doc/crypto/X509_STORE_CTX_get_error.pod (+2/-0)
doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+1/-1)
doc/crypto/pem.pod (+1/-1)
doc/ssl/SSL_CTX_set_client_CA_list.pod (+4/-0)
doc/ssl/SSL_CTX_set_verify.pod (+2/-2)
doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+8/-0)
doc/ssl/SSL_accept.pod (+8/-0)
doc/ssl/SSL_connect.pod (+11/-11)
doc/ssl/SSL_do_handshake.pod (+8/-0)
doc/ssl/SSL_shutdown.pod (+8/-0)
doc/ssl/ssl.pod (+1/-1)
engines/ccgost/gost_crypt.c (+2/-1)
engines/ccgost/openssl.ld (+10/-0)
engines/e_capi_err.h (+4/-0)
engines/makeengines.com (+215/-111)
engines/openssl.ld (+3/-0)
install.com (+127/-92)
makevms.com (+274/-152)
ms/uplink.c (+2/-1)
openssl.spec (+1/-1)
ssl/bio_ssl.c (+4/-0)
ssl/d1_both.c (+10/-18)
ssl/d1_clnt.c (+4/-2)
ssl/d1_lib.c (+57/-8)
ssl/d1_pkt.c (+11/-9)
ssl/d1_srvr.c (+19/-7)
ssl/install-ssl.com (+136/-0)
ssl/install.com (+0/-90)
ssl/s3_clnt.c (+2/-0)
ssl/s3_lib.c (+6/-0)
ssl/s3_pkt.c (+4/-2)
ssl/s3_srvr.c (+16/-7)
ssl/ssl-lib.com (+213/-115)
ssl/ssl_lib.c (+13/-19)
test/bntest.com (+7/-0)
test/clean_test.com (+35/-0)
test/cms-test.pl (+2/-2)
test/maketests.com (+210/-111)
test/tcrl.com (+10/-7)
test/testca.com (+5/-3)
test/testenc.com (+8/-5)
test/testgen.com (+13/-9)
test/tests.com (+65/-38)
test/testss.com (+10/-7)
test/testssl.com (+12/-8)
test/testtsa.com (+38/-35)
test/tpkcs7.com (+10/-7)
test/tpkcs7d.com (+10/-7)
test/treq.com (+10/-7)
test/trsa.com (+8/-5)
test/tsid.com (+10/-7)
test/tverify.com (+6/-4)
test/tx509.com (+10/-7)
tools/c_rehash.in (+44/-28)
util/libeay.num (+6/-1)
util/mkdef.pl (+2/-0)
util/mkerr.pl (+1/-1)
Merge request has been attached. I have tested the result of the merge builds successfully with no changes in the results of the openssl build time regression tests as well as the openssl tests in the lp:qa-regression-testing branch.