Publishing details
Changelog
openssl (1.0.1f-1ubuntu10~ubuntu12.04.1~ppa1) precise; urgency=low
* No-change backport to precise
openssl (1.0.1f-1ubuntu10) vivid; urgency=medium
* SECURITY UPDATE: denial of service via unexpected handshake when
no-ssl3 build option is used (not the default)
- debian/patches/CVE-2014-3569.patch: keep the old method for now in
ssl/s23_srvr.c.
- CVE-2014-3569
* SECURITY UPDATE: bignum squaring may produce incorrect results
- debian/patches/CVE-2014-3570.patch: fix bignum logic in
crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c,
crypto/bn/bn_asm.c, removed crypto/bn/asm/mips3.s, added test to
crypto/bn/bntest.c.
- CVE-2014-3570
* SECURITY UPDATE: DTLS segmentation fault in dtls1_get_record
- debian/patches/CVE-2014-3571-1.patch: fix crash in ssl/d1_pkt.c,
ssl/s3_pkt.c.
- debian/patches/CVE-2014-3571-2.patch: make code more obvious in
ssl/d1_pkt.c.
- CVE-2014-3571
* SECURITY UPDATE: ECDHE silently downgrades to ECDH [Client]
- debian/patches/CVE-2014-3572.patch: don't skip server key exchange in
ssl/s3_clnt.c.
- CVE-2014-3572
* SECURITY UPDATE: certificate fingerprints can be modified
- debian/patches/CVE-2014-8275.patch: fix various fingerprint issues in
crypto/asn1/a_bitstr.c, crypto/asn1/a_type.c, crypto/asn1/a_verify.c,
crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/x_algor.c,
crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, crypto/x509/x509.h,
crypto/x509/x_all.c.
- CVE-2014-8275
* SECURITY UPDATE: RSA silently downgrades to EXPORT_RSA [Client]
- debian/patches/CVE-2015-0204.patch: only allow ephemeral RSA keys in
export ciphersuites in ssl/d1_srvr.c, ssl/s3_clnt.c, ssl/s3_srvr.c,
ssl/ssl.h, adjust documentation in doc/ssl/SSL_CTX_set_options.pod,
doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.
- CVE-2015-0204
* SECURITY UPDATE: DH client certificates accepted without verification
- debian/patches/CVE-2015-0205.patch: prevent use of DH client
certificates without sending certificate verify message in
ssl/s3_srvr.c.
- CVE-2015-0205
* SECURITY UPDATE: DTLS memory leak in dtls1_buffer_record
- debian/patches/CVE-2015-0206.patch: properly handle failures in
ssl/d1_pkt.c.
- CVE-2015-0206
openssl (1.0.1f-1ubuntu9) utopic; urgency=medium
* SECURITY UPDATE: denial of service via DTLS SRTP memory leak
- debian/patches/CVE-2014-3513.patch: fix logic in ssl/d1_srtp.c,
ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl,
util/ssleay.num.
- CVE-2014-3513
* SECURITY UPDATE: denial of service via session ticket integrity check
memory leak
- debian/patches/CVE-2014-3567.patch: perform cleanup in ssl/t1_lib.c.
- CVE-2014-3567
* SECURITY UPDATE: fix the no-ssl3 build option
- debian/patches/CVE-2014-3568.patch: fix conditional code in
ssl/s23_clnt.c, ssl/s23_srvr.c.
- CVE-2014-3568
* SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
protocol downgrade attack to SSLv3 that exposes the POODLE attack.
- debian/patches/tls_fallback_scsv_support.patch: added support for
TLS_FALLBACK_SCSV in apps/s_client.c, crypto/err/openssl.ec,
ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c,
ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h,
ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h,
doc/apps/s_client.pod, doc/ssl/SSL_CTX_set_mode.pod.
openssl (1.0.1f-1ubuntu8) utopic; urgency=medium
* Backport collected POWER8 optimisations from upstream (LP: #1290579).
openssl (1.0.1f-1ubuntu7) utopic; urgency=medium
* SECURITY UPDATE: double free when processing DTLS packets
- debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c.
- CVE-2014-3505
* SECURITY UPDATE: DTLS memory exhaustion
- debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size
checks in ssl/d1_both.c.
- CVE-2014-3506
* SECURITY UPDATE: DTLS memory leak from zero-length fragments
- debian/patches/CVE-2014-3507.patch: fix memory leak and return codes
in ssl/d1_both.c.
- CVE-2014-3507
* SECURITY UPDATE: information leak in pretty printing functions
- debian/patches/CVE-2014-3508.patch: fix OID handling in
crypto/asn1/a_object.c, crypto/objects/obj_dat.c.
- CVE-2014-3508
* SECURITY UPDATE: race condition in ssl_parse_serverhello_tlsext
- debian/patches/CVE-2014-3509.patch: fix race in ssl/t1_lib.c.
- CVE-2014-3509
* SECURITY UPDATE: DTLS anonymous EC(DH) denial of service
- debian/patches/CVE-2014-3510.patch: check for server certs in
ssl/d1_clnt.c, ssl/s3_clnt.c.
- CVE-2014-3510
* SECURITY UPDATE: TLS protocol downgrade attack
- debian/patches/CVE-2014-3511.patch: properly handle fragments in
ssl/s23_srvr.c.
- CVE-2014-3511
* SECURITY UPDATE: SRP buffer overrun
- debian/patches/CVE-2014-3512.patch: check parameters in
crypto/srp/srp_lib.c.
- CVE-2014-3512
* SECURITY UPDATE: crash with SRP ciphersuite in Server Hello message
- debian/patches/CVE-2014-5139.patch: fix SRP authentication and make
sure ciphersuite is set up correctly in ssl/s3_clnt.c, ssl/ssl_lib.c,
ssl/s3_lib.c, ssl/ssl.h, ssl/ssl_ciph.c, ssl/ssl_locl.h.
- CVE-2014-5139
openssl (1.0.1f-1ubuntu6) utopic; urgency=medium
* SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
sending finished ssl/s3_clnt.c.
openssl (1.0.1f-1ubuntu5) utopic; urgency=medium
* SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297)
- debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
tls_session_secret_cb for session resumption in ssl/s3_clnt.c.
openssl (1.0.1f-1ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
* SECURITY UPDATE: denial of service via DTLS recursion flaw
- debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
recursion in ssl/d1_both.c.
- CVE-2014-0221
* SECURITY UPDATE: MITM via change cipher spec
- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
ssl/s3_clnt.c.
- CVE-2014-0224
* SECURITY UPDATE: denial of service via ECDH null session cert
- debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
before dereferencing it in ssl/s3_clnt.c.
- CVE-2014-3470
openssl (1.0.1f-1ubuntu3) utopic; urgency=medium
* SECURITY UPDATE: denial of service via use after free
- debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before
releasing buffers in ssl/s3_pkt.c.
- CVE-2010-5298
* SECURITY UPDATE: denial of service via null pointer dereference
- debian/patches/CVE-2014-0198.patch: if buffer was released, get a new
one in ssl/s3_pkt.c.
- CVE-2014-0198
openssl (1.0.1f-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
openssl (1.0.1f-1ubuntu1) trusty; urgency=low
* Merge with Debian, remaining changes.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
code.
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* Dropped changes:
- debian/patches/arm64-support: included in debian-targets.patch
- debian/patches/no_default_rdrand.patch: upstream
- debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely
disabled in debian/rules
openssl (1.0.1f-1) unstable; urgency=high
* New upstream version
- Fix for TLS record tampering bug CVE-2013-4353
- Drop the snapshot patch
* update watch file to check for upstream signature and add upstream pgp key.
* Drop conflicts against openssh since we now on a released version again.
openssl (1.0.1e-6) unstable; urgency=medium
* Add Breaks: openssh-client (<< 1:6.4p1-1.1), openssh-server (<<
1:6.4p1-1.1). This is to prevent people running into #732940.
This Breaks can be removed again when we stop using a git snapshot.
openssl (1.0.1e-5) unstable; urgency=low
* Change default digest to SHA256 instead of SHA1. (Closes: #694738)
* Drop support for multiple certificates in 1 file. It never worked
properly in the first place, and the only one shipping in
ca-certificates has been split.
* Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
* Remove make-targets.patch. It prevented the test dir from being cleaned.
* Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
- Fixes CVE-2013-6449 (Closes: #732754)
- Fixes CVE-2013-6450
- Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
dtls_version.patch get_certificate.patch, since they where all
already commited upstream.
- adjust fix-pod-errors.patch for the reordering of items in the
documentation they've done trying to fix those pod errors.
- disable rdrand engine by default (Closes: #732710)
* disable zlib support. Fixes CVE-2012-4929 (Closes: #728055)
* Add arm64 support (Closes: #732348)
* Properly use the default number of bits in req when none are given
openssl (1.0.1e-4ubuntu4) trusty; urgency=low
* debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
default unless explicitly requested.
openssl (1.0.1e-4ubuntu3) trusty; urgency=medium
* Update debian configuration.
openssl (1.0.1e-4ubuntu2) trusty; urgency=low
* Re-enable full TLSv1.2 support (LP: #1257877)
- debian/patches/tls12_workarounds.patch: disable patch to re-enable
full TLSv1.2 support. Most problematic sites have been fixed now, and
we really want proper TLSv1.2 support in an LTS.
openssl (1.0.1e-4ubuntu1) trusty; urgency=low
* Merge with Debian; remaining changes same as in 1.0.1e-3ubuntu1.
openssl (1.0.1e-4) unstable; urgency=low
[ Peter Michael Green ]
* Fix pod errors (Closes: #723954)
* Fix clean target
[ Kurt Roeckx ]
* Add mipsn32 and mips64 targets. Patch from Eleanor Chen
<email address hidden> (Closes: #720654)
* Add support for nocheck in DEB_BUILD_OPTIONS
* Update Norwegian translation (Closes: #653574)
* Update description of the packages. Patch by Justin B Rye
(Closes: #719262)
* change to debhelper compat level 9:
- change dh_strip call so only the files from libssl1.0.0 get debug
symbols.
- change dh_makeshlibs call so the engines don't get added to the
shlibs
* Update Standards-Version from 3.8.0 to 3.9.5. No changes required.
openssl (1.0.1e-3ubuntu1) saucy; urgency=low
* Merge with Debian, remaining changes.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
code.
- debian/patches/arm64-support: Add basic arm64 support (no assembler)
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
in test suite since we disable it in the client.
* Disable compression to avoid CRIME systemwide (CVE-2012-4929).
* Dropped changes:
- debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian.
openssl (1.0.1e-3) unstable; urgency=low
* Move <openssl/opensslconf.h> to /usr/include/$(DEB_HOST_MULTIARCH), and
mark libssl-dev Multi-Arch: same.
Patch by Colin Watson <email address hidden> (Closes: #689093)
* Add Polish translation (Closes: #658162)
* Add Turkish translation (Closes: #660971)
* Enable assembler for the arm targets, and remove armeb.
Patch by Riku Voipio <email address hidden> (Closes: #676533)
* Add support for x32 (Closes: #698406)
* enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
openssl (1.0.1e-2ubuntu1.1) saucy-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
zlib to compress SSL/TLS unless the environment variable
OPENSSL_DEFAULT_ZLIB is set in the environment during library
initialization.
- Introduced to assist with programs not yet updated to provide their own
controls on compression, such as Postfix
- http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch
openssl (1.0.1e-2ubuntu1) saucy; urgency=low
* Resynchronise with Debian unstable. Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
code.
- debian/patches/arm64-support: Add basic arm64 support (no assembler)
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
in test suite since we disable it in the client.
* Dropped changes:
- debian/patches/CVE-2013-0169.patch: upstream.
- debian/patches/fix_key_decoding_deadlock.patch: upstream.
- debian/patches/CVE-2013-0166.patch: upstream.
openssl (1.0.1e-2) unstable; urgency=high
* Bump shlibs. It's needed for the udeb.
* Make cpuid work on cpu's that don't set ecx (Closes: #699692)
* Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
* Fix problem with DTLS version check (Closes: #701826)
* Fix segfault in SSL_get_certificate (Closes: #703031)
openssl (1.0.1e-1) unstable; urgency=high
* New upstream version (Closes: #699889)
- Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
- Drop renegiotate_tls.patch, applied upstream
- Export new CRYPTO_memcmp symbol, update symbol file
* Add ssltest_no_sslv2.patch so that "make test" works.
openssl (1.0.1c-5) unstable; urgency=low
* Re-enable assembler versions on sparc. They shouldn't have
been disabled for sparc v9. (Closes: #649841)
openssl (1.0.1c-4ubuntu8) raring; urgency=low
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
commit from upstream to fix regression.
- CVE-2013-0169
openssl (1.0.1c-4ubuntu7) raring; urgency=low
* Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)
openssl (1.0.1c-4ubuntu6) raring; urgency=low
* debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
when decoding public keys. (LP: #1066032)
openssl (1.0.1c-4ubuntu5) raring; urgency=low
* REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
LP: #1133333)
- debian/patches/CVE-2013-0169.patch: disabled for now until fix is
available from upstream.
openssl (1.0.1c-4ubuntu4) raring; urgency=low
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/CVE-2013-0166.patch: properly handle NULL key in
crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via AES-NI and crafted CBC data
- Fix included in CVE-2013-0169 patch
- CVE-2012-2686
openssl (1.0.1c-4ubuntu3) raring; urgency=low
* Add basic arm64 support (no assembler) (LP: #1102107)
openssl (1.0.1c-4ubuntu2) raring; urgency=low
* Enable arm assembly code. (LP: #1083498) (Closes: #676533)
openssl (1.0.1c-4ubuntu1) raring; urgency=low
* Resynchronise with Debian (LP: #1077228). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
* Dropped changes:
- Drop openssl-doc in favour of the libssl-doc package introduced by
Debian. Add Conflicts/Replaces until the next LTS release.
+ Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS
release'
openssl (1.0.1c-4) unstable; urgency=low
* Fix the configure rules for alpha (Closes: #672710)
* Switch the postinst to sh again, there never was a reason to
switch it to bash (Closes: #676398)
* Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
preprocessed. We generate the file again for pic anyway.
(Closes: #677468)
* Drop Breaks against openssh as it was only for upgrades
between versions that were only in testing/unstable.
(Closes: #668600)
openssl (1.0.1c-3ubuntu2) quantal; urgency=low
[ Tyler Hicks <email address hidden> ]
* debian/patches/tls12_workarounds.patch: Readd the change to check
TLS1_get_client_version rather than TLS1_get_version to fix incorrect
client hello cipher list truncation when TLS 1.1 and lower is in use.
(LP: #1051892)
[ Micah Gersten <email address hidden> ]
* Mark Debian Vcs-* as XS-Debian-Vcs-*
- update debian/control
openssl (1.0.1c-3ubuntu1) quantal; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- debian/patches/tls12_workarounds.patch: workaround large client hello
issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and
with -DOPENSSL_NO_TLS1_2_CLIENT.
* Dropped upstreamed patches:
- debian/patches/CVE-2012-2110.patch
- debian/patches/CVE-2012-2110b.patch
- debian/patches/CVE-2012-2333.patch
- debian/patches/CVE-2012-0884-extra.patch
- most of debian/patches/tls12_workarounds.patch
openssl (1.0.1c-3) unstable; urgency=low
* Disable padlock engine again, causes problems for hosts not supporting it.
openssl (1.0.1c-2) unstable; urgency=high
* Fix renegiotation when using TLS > 1.0. This breaks tor. Patch from
upstream. (Closes: #675990)
* Enable the padlock engine by default.
* Change default bits from 1024 to 2048 (Closes: #487152)
openssl (1.0.1c-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-2333 (Closes: #672452)
openssl (1.0.1b-1) unstable; urgency=high
* New upstream version
- Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
can talk to servers supporting TLS 1.1 but not TLS 1.2
- Drop rc4_hmac_md5.patch, applied upstream
openssl (1.0.1a-3) unstable; urgency=low
* Use patch from upstream for the rc4_hmac_md5 issue.
openssl (1.0.1a-2) unstable; urgency=low
* Fix rc4_hmac_md5 on non-i386/amd64 arches.
openssl (1.0.1a-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-2110
- Fix crash in rc4_hmac_md5 (Closes: #666405)
- Fixes some issues with talking to other servers when TLS 1.1 and 1.2 is
supported
- Drop patches no_ssl2.patch vpaes.patch tls1.2_client_algorithms.patch,
applied upstream.
openssl (1.0.1-4ubuntu6) quantal; urgency=low
* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
TLS v1.2 implementation
- debian/patches/CVE_2012-2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen
properly when encrypting CMS messages.
-- yavdr <email address hidden> Sat, 10 Jan 2015 16:48:30 +0100
Builds
Built packages
-
libcrypto1.0.0-udeb
Secure Sockets Layer toolkit - libcrypto udeb
-
libssl-dev
Secure Sockets Layer toolkit - development files
-
libssl-doc
Secure Sockets Layer toolkit - development documentation
-
libssl1.0.0
Secure Sockets Layer toolkit - shared libraries
-
libssl1.0.0-dbg
Secure Sockets Layer toolkit - debug information
-
libssl1.0.0-udeb
ssl shared library - udeb
-
openssl
Secure Sockets Layer toolkit - cryptographic utility
Package files