Skip to content

Instantly share code, notes, and snippets.

@henare

henare/changelog.txt

Created July 15, 2019 04:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save henare/643db8184feb1dd26bf03bc453eb05bd to your computer and use it in GitHub Desktop.
Save henare/643db8184feb1dd26bf03bc453eb05bd to your computer and use it in GitHub Desktop.
Download ZIP
openssl 1.0.1f-1ubuntu2.27 changelog
Raw
changelog.txt
openssl (1.0.1f-1ubuntu2.27) trusty-security; urgency=medium
* SECURITY UPDATE: PortSmash side channel attack
- debian/patches/CVE-2018-5407.patch: fix timing vulnerability in
crypto/bn/bn_lib.c, crypto/ec/ec_mult.c.
- CVE-2018-5407
* SECURITY UPDATE: timing side channel attack in DSA
- debian/patches/CVE-2018-0734-pre1.patch: address a timing side
channel in crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-2.patch: fix mod inverse in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
crypto/dsa/dsa_ossl.c.
- CVE-2018-0734
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Dec 2018 10:36:19 -0500
openssl (1.0.1f-1ubuntu2.26) trusty-security; urgency=medium
* SECURITY UPDATE: ECDSA key extraction side channel
- debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA
signature in crypto/ecdsa/ecdsatest.c, crypto/ecdsa/ecs_ossl.c.
- CVE-2018-0495
* SECURITY UPDATE: denial of service via long prime values
- debian/patches/CVE-2018-0732.patch: reject excessively large primes
in DH key generation in crypto/dh/dh_key.c.
- CVE-2018-0732
* SECURITY UPDATE: RSA cache timing side channel attack
(previous update was incomplete)
- debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-3.patch: consttime flag changed in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and
BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in
crypto/rsa/rsa_gen.c.
- CVE-2018-0737
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 20 Jun 2018 07:57:40 -0400
openssl (1.0.1f-1ubuntu2.25) trusty-security; urgency=medium
* SECURITY UPDATE: Cache timing side channel
- debian/patches/CVE-2018-0737.patch: ensure BN_mod_inverse
and BN_mod_exp_mont get called with BN_FLG_CONSTTIME flag set
in crypto/rsa/rsa_gen.c.
- CVE-2018-0737
-- Leonidas S. Barbosa <leo.barbosa@canonical.com> Wed, 18 Apr 2018 14:54:20 -0300
openssl (1.0.1f-1ubuntu2.24) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via ASN.1 types with a recursive definition
- debian/patches/CVE-2018-0739.patch: limit stack depth in
crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c.
- CVE-2018-0739
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 27 Mar 2018 14:31:59 -0400
openssl (1.0.1f-1ubuntu2.23) trusty-security; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 02 Nov 2017 11:30:53 -0400
openssl (1.0.1f-1ubuntu2.22) trusty-security; urgency=medium
* SECURITY UPDATE: Pointer arithmetic undefined behaviour
- debian/patches/CVE-2016-2177-pre.patch: check for ClientHello message
overruns in ssl/s3_srvr.c.
- debian/patches/CVE-2016-2177-pre2.patch: validate ClientHello
extension field length in ssl/t1_lib.c.
- debian/patches/CVE-2016-2177-pre3.patch: pass in a limit rather than
calculate it in ssl/s3_srvr.c, ssl/ssl_locl.h, ssl/t1_lib.c.
- debian/patches/CVE-2016-2177.patch: avoid undefined pointer
arithmetic in ssl/s3_srvr.c, ssl/t1_lib.c,
- CVE-2016-2177
* SECURITY UPDATE: ECDSA P-256 timing attack key recovery
- debian/patches/CVE-2016-7056.patch: use BN_mod_exp_mont_consttime in
crypto/ec/ec.h, crypto/ec/ec_lcl.h, crypto/ec/ec_lib.c,
crypto/ecdsa/ecs_ossl.c.
- CVE-2016-7056
* SECURITY UPDATE: DoS via warning alerts
- debian/patches/CVE-2016-8610.patch: don't allow too many consecutive
warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h,
ssl/ssl_locl.h.
- debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record
type is received in ssl/s3_pkt.c.
- CVE-2016-8610
* SECURITY UPDATE: Truncated packet could crash via OOB read
- debian/patches/CVE-2017-3731-pre.patch: sanity check
EVP_CTRL_AEAD_TLS_AAD in crypto/evp/e_aes.c,
crypto/evp/e_aes_cbc_hmac_sha1.c, crypto/evp/e_rc4_hmac_md5.c,
crypto/evp/evp.h, ssl/t1_enc.c.
- debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in
crypto/evp/e_rc4_hmac_md5.c.
- CVE-2017-3731
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 30 Jan 2017 11:38:06 -0500
openssl (1.0.1f-1ubuntu2.21) trusty-security; urgency=medium
* SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883)
- debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow
check in crypto/bn/bn_print.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 23 Sep 2016 07:57:00 -0400
openssl (1.0.1f-1ubuntu2.20) trusty-security; urgency=medium
* SECURITY UPDATE: Constant time flag not preserved in DSA signing
- debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
crypto/dsa/dsa_ossl.c.
- CVE-2016-2178
* SECURITY UPDATE: DTLS buffered message DoS
- debian/patches/CVE-2016-2179.patch: fix queue handling in
ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
ssl/ssl_locl.h.
- CVE-2016-2179
* SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
- debian/patches/CVE-2016-2180.patch: fix text handling in
crypto/ts/ts_lib.c.
- CVE-2016-2180
* SECURITY UPDATE: DTLS replay protection DoS
- debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
records in ssl/d1_pkt.c.
- debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
- debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
- CVE-2016-2181
* SECURITY UPDATE: OOB write in BN_bn2dec()
- debian/patches/CVE-2016-2182.patch: don't overflow buffer in
crypto/bn/bn_print.c.
- CVE-2016-2182
* SECURITY UPDATE: SWEET32 Mitigation
- debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
to MEDIUM in ssl/s3_lib.c.
- CVE-2016-2183
* SECURITY UPDATE: Malformed SHA512 ticket DoS
- debian/patches/CVE-2016-6302.patch: sanity check ticket length in
ssl/t1_lib.c.
- CVE-2016-6302
* SECURITY UPDATE: OOB write in MDC2_Update()
- debian/patches/CVE-2016-6303.patch: avoid overflow in
crypto/mdc2/mdc2dgst.c.
- CVE-2016-6303
* SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
- debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
handshake in ssl/t1_lib.c.
- CVE-2016-6304
* SECURITY UPDATE: Certificate message OOB reads
- debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
ssl/s3_srvr.c.
- debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
larger in ssl/d1_both.c, ssl/s3_both.c.
- CVE-2016-6306
* SECURITY REGRESSION: DTLS regression (LP: #1622500)
- debian/patches/CVE-2014-3571-3.patch: make DTLS always act as if
read_ahead is set in ssl/s3_pkt.c.
* debian/patches/update-expired-smime-test-certs.patch: Update test
certificates that have expired and caused build test failures.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Sep 2016 13:38:15 -0400
openssl (1.0.1f-1ubuntu2.19) trusty-security; urgency=medium
* SECURITY UPDATE: EVP_EncodeUpdate overflow
- debian/patches/CVE-2016-2105.patch: properly check lengths in
crypto/evp/encode.c, add documentation to
doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod.
- CVE-2016-2105
* SECURITY UPDATE: EVP_EncryptUpdate overflow
- debian/patches/CVE-2016-2106.patch: fix overflow in
crypto/evp/evp_enc.c.
- CVE-2016-2106
* SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check
- debian/patches/CVE-2016-2107.patch: check that there are enough
padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c.
- CVE-2016-2107
* SECURITY UPDATE: Memory corruption in the ASN.1 encoder
- debian/patches/CVE-2016-2108-1.patch: don't mishandle zero if it is
marked as negative in crypto/asn1/a_int.c.
- debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c,
crypto/asn1/tasn_enc.c.
- CVE-2016-2108
* SECURITY UPDATE: ASN.1 BIO excessive memory allocation
- debian/patches/CVE-2016-2109.patch: properly handle large amounts of
data in crypto/asn1/a_d2i_fp.c.
- CVE-2016-2109
* debian/patches/min_1024_dh_size.patch: change minimum DH size from 768
to 1024.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 28 Apr 2016 11:22:20 -0400
openssl (1.0.1f-1ubuntu2.18) trusty-security; urgency=medium
* SECURITY UPDATE: side channel attack on modular exponentiation
- debian/patches/CVE-2016-0702.patch: use constant-time calculations in
crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
- CVE-2016-0702
* SECURITY UPDATE: double-free in DSA code
- debian/patches/CVE-2016-0705.patch: fix double-free in
crypto/dsa/dsa_ameth.c.
- CVE-2016-0705
* SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
- debian/patches/CVE-2016-0797.patch: prevent overflow in
crypto/bn/bn_print.c, crypto/bn/bn.h.
- CVE-2016-0797
* SECURITY UPDATE: memory leak in SRP database lookups
- debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and
introduce new SRP_VBASE_get1_by_user function that handled seed
properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c,
util/libeay.num, openssl.ld.
- CVE-2016-0798
* SECURITY UPDATE: memory issues in BIO_*printf functions
- debian/patches/CVE-2016-0799.patch: prevent overflow in
crypto/bio/b_print.c.
- CVE-2016-0799
* debian/patches/preserve_digests_for_sni.patch: preserve negotiated
digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c.
(LP: #1550643)
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 29 Feb 2016 07:56:15 -0500
openssl (1.0.1f-1ubuntu2.17) trusty-security; urgency=medium
* debian/patches/alt-cert-chains-*.patch: backport series of upstream
commits to add alternate chains support. This will allow the future
removal of 1024-bit RSA keys from the ca-certificates package.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 05 Feb 2016 16:14:26 -0500
openssl (1.0.1f-1ubuntu2.16) trusty-security; urgency=medium
* SECURITY UPDATE: Certificate verify crash with missing PSS parameter
- debian/patches/CVE-2015-3194.patch: add PSS parameter check to
crypto/rsa/rsa_ameth.c.
- CVE-2015-3194
* SECURITY UPDATE: X509_ATTRIBUTE memory leak
- debian/patches/CVE-2015-3195.patch: fix leak in
crypto/asn1/tasn_dec.c.
- CVE-2015-3195
* SECURITY UPDATE: Race condition handling PSK identify hint
- debian/patches/CVE-2015-3196.patch: fix PSK handling in
ssl/s3_clnt.c, ssl/s3_srvr.c.
- CVE-2015-3196
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 04 Dec 2015 08:20:52 -0500
openssl (1.0.1f-1ubuntu2.15) trusty-security; urgency=medium
* SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits
- debian/patches/reject_small_dh.patch: reject small dh keys in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, update documentation in
doc/ssl/SSL_CTX_set_tmp_dh_callback.pod, make s_server use 2048-bit
dh in apps/s_server.c, clarify docs in doc/apps/dhparam.pod.
* SECURITY UPDATE: denial of service and possible code execution via
invalid free in DTLS
- debian/patches/CVE-2014-8176.patch: fix invalid free in ssl/d1_lib.c.
- CVE-2014-8176
* SECURITY UPDATE: denial of service via malformed ECParameters
- debian/patches/CVE-2015-1788.patch: improve logic in
crypto/bn/bn_gf2m.c.
- CVE-2015-1788
* SECURITY UPDATE: denial of service via out-of-bounds read in
X509_cmp_time
- debian/patches/CVE-2015-1789.patch: properly parse time format in
crypto/x509/x509_vfy.c.
- CVE-2015-1789
* SECURITY UPDATE: denial of service via missing EnvelopedContent
- debian/patches/CVE-2015-1790.patch: handle NULL data_body in
crypto/pkcs7/pk7_doit.c.
- CVE-2015-1790
* SECURITY UPDATE: race condition in NewSessionTicket
- debian/patches/CVE-2015-1791.patch: create a new session in
ssl/s3_clnt.c, ssl/ssl.h, ssl/ssl_err.c, ssl/ssl_locl.h,
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-2.patch: fix kerberos issue in
ssl/ssl_sess.c.
- debian/patches/CVE-2015-1791-3.patch: more ssl_session_dup fixes in
ssl/ssl_sess.c.
- CVE-2015-1791
* SECURITY UPDATE: CMS verify infinite loop with unknown hash function
- debian/patches/CVE-2015-1792.patch: fix infinite loop in
crypto/cms/cms_smime.c.
- CVE-2015-1792
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 11 Jun 2015 07:34:23 -0400
openssl (1.0.1f-1ubuntu2.12) trusty-security; urgency=medium
* SECURITY IMPROVEMENT: Disable EXPORT ciphers by default
- debian/patches/disable_export_ciphers.patch: remove export ciphers
from the DEFAULT cipher list in ssl/ssl.h, ssl/ssl_ciph.c,
doc/apps/ciphers.pod.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 28 May 2015 08:58:02 -0400
openssl (1.0.1f-1ubuntu2.11) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service and possible memory corruption via
malformed EC private key
- debian/patches/CVE-2015-0209.patch: fix use after free in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2015-0209-2.patch: fix a failure to NULL a pointer
freed on error in crypto/asn1/x_x509.c, crypto/ec/ec_asn1.c.
- CVE-2015-0209
* SECURITY UPDATE: denial of service via cert verification
- debian/patches/CVE-2015-0286.patch: handle boolean types in
crypto/asn1/a_type.c.
- CVE-2015-0286
* SECURITY UPDATE: ASN.1 structure reuse memory corruption
- debian/patches/CVE-2015-0287.patch: free up structures in
crypto/asn1/tasn_dec.c.
- CVE-2015-0287
* SECURITY UPDATE: denial of service via invalid certificate key
- debian/patches/CVE-2015-0288.patch: check public key isn't NULL in
crypto/x509/x509_req.c.
- CVE-2015-0288
* SECURITY UPDATE: denial of service and possible code execution via
PKCS#7 parsing
- debian/patches/CVE-2015-0289.patch: handle missing content in
crypto/pkcs7/pk7_doit.c, crypto/pkcs7/pk7_lib.c.
- CVE-2015-0289
* SECURITY UPDATE: denial of service or memory corruption via base64
decoding
- debian/patches/CVE-2015-0292.patch: prevent underflow in
crypto/evp/encode.c.
- CVE-2015-0292
* SECURITY UPDATE: denial of service via assert in SSLv2 servers
- debian/patches/CVE-2015-0293.patch: check key lengths in
ssl/s2_lib.c, ssl/s2_srvr.c.
- debian/patches/CVE-2015-0293-2.patch: fix unsigned/signed warnings in
ssl/s2_srvr.c.
- CVE-2015-0293
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Mar 2015 10:04:30 -0400
openssl (1.0.1f-1ubuntu2.8) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via unexpected handshake when
no-ssl3 build option is used (not the default)
- debian/patches/CVE-2014-3569.patch: keep the old method for now in
ssl/s23_srvr.c.
- CVE-2014-3569
* SECURITY UPDATE: bignum squaring may produce incorrect results
- debian/patches/CVE-2014-3570.patch: fix bignum logic in
crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c,
crypto/bn/bn_asm.c, removed crypto/bn/asm/mips3.s, added test to
crypto/bn/bntest.c.
- CVE-2014-3570
* SECURITY UPDATE: DTLS segmentation fault in dtls1_get_record
- debian/patches/CVE-2014-3571-1.patch: fix crash in ssl/d1_pkt.c,
ssl/s3_pkt.c.
- debian/patches/CVE-2014-3571-2.patch: make code more obvious in
ssl/d1_pkt.c.
- CVE-2014-3571
* SECURITY UPDATE: ECDHE silently downgrades to ECDH [Client]
- debian/patches/CVE-2014-3572.patch: don't skip server key exchange in
ssl/s3_clnt.c.
- CVE-2014-3572
* SECURITY UPDATE: certificate fingerprints can be modified
- debian/patches/CVE-2014-8275.patch: fix various fingerprint issues in
crypto/asn1/a_bitstr.c, crypto/asn1/a_type.c, crypto/asn1/a_verify.c,
crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/x_algor.c,
crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, crypto/x509/x509.h,
crypto/x509/x_all.c.
- CVE-2014-8275
* SECURITY UPDATE: RSA silently downgrades to EXPORT_RSA [Client]
- debian/patches/CVE-2015-0204.patch: only allow ephemeral RSA keys in
export ciphersuites in ssl/d1_srvr.c, ssl/s3_clnt.c, ssl/s3_srvr.c,
ssl/ssl.h, adjust documentation in doc/ssl/SSL_CTX_set_options.pod,
doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.
- CVE-2015-0204
* SECURITY UPDATE: DH client certificates accepted without verification
- debian/patches/CVE-2015-0205.patch: prevent use of DH client
certificates without sending certificate verify message in
ssl/s3_srvr.c.
- CVE-2015-0205
* SECURITY UPDATE: DTLS memory leak in dtls1_buffer_record
- debian/patches/CVE-2015-0206.patch: properly handle failures in
ssl/d1_pkt.c.
- CVE-2015-0206
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 09 Jan 2015 09:57:48 -0500
openssl (1.0.1f-1ubuntu2.7) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via DTLS SRTP memory leak
- debian/patches/CVE-2014-3513.patch: fix logic in ssl/d1_srtp.c,
ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl,
util/ssleay.num.
- CVE-2014-3513
* SECURITY UPDATE: denial of service via session ticket integrity check
memory leak
- debian/patches/CVE-2014-3567.patch: perform cleanup in ssl/t1_lib.c.
- CVE-2014-3567
* SECURITY UPDATE: fix the no-ssl3 build option
- debian/patches/CVE-2014-3568.patch: fix conditional code in
ssl/s23_clnt.c, ssl/s23_srvr.c.
- CVE-2014-3568
* SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a
protocol downgrade attack to SSLv3 that exposes the POODLE attack.
- debian/patches/tls_fallback_scsv_support.patch: added support for
TLS_FALLBACK_SCSV in apps/s_client.c, crypto/err/openssl.ec,
ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c,
ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h,
ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h,
doc/apps/s_client.pod, doc/ssl/SSL_CTX_set_mode.pod.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Oct 2014 12:56:03 -0400
openssl (1.0.1f-1ubuntu2.5) trusty-security; urgency=medium
* SECURITY UPDATE: double free when processing DTLS packets
- debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c.
- CVE-2014-3505
* SECURITY UPDATE: DTLS memory exhaustion
- debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size
checks in ssl/d1_both.c.
- CVE-2014-3506
* SECURITY UPDATE: DTLS memory leak from zero-length fragments
- debian/patches/CVE-2014-3507.patch: fix memory leak and return codes
in ssl/d1_both.c.
- CVE-2014-3507
* SECURITY UPDATE: information leak in pretty printing functions
- debian/patches/CVE-2014-3508.patch: fix OID handling in
crypto/asn1/a_object.c, crypto/objects/obj_dat.c.
- CVE-2014-3508
* SECURITY UPDATE: race condition in ssl_parse_serverhello_tlsext
- debian/patches/CVE-2014-3509.patch: fix race in ssl/t1_lib.c.
- CVE-2014-3509
* SECURITY UPDATE: DTLS anonymous EC(DH) denial of service
- debian/patches/CVE-2014-3510.patch: check for server certs in
ssl/d1_clnt.c, ssl/s3_clnt.c.
- CVE-2014-3510
* SECURITY UPDATE: TLS protocol downgrade attack
- debian/patches/CVE-2014-3511.patch: properly handle fragments in
ssl/s23_srvr.c.
- CVE-2014-3511
* SECURITY UPDATE: SRP buffer overrun
- debian/patches/CVE-2014-3512.patch: check parameters in
crypto/srp/srp_lib.c.
- CVE-2014-3512
* SECURITY UPDATE: crash with SRP ciphersuite in Server Hello message
- debian/patches/CVE-2014-5139.patch: fix SRP authentication and make
sure ciphersuite is set up correctly in ssl/s3_clnt.c, ssl/ssl_lib.c,
ssl/s3_lib.c, ssl/ssl.h, ssl/ssl_ciph.c, ssl/ssl_locl.h.
- CVE-2014-5139
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 07 Aug 2014 08:03:21 -0400
openssl (1.0.1f-1ubuntu2.4) trusty-security; urgency=medium
* SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
sending finished ssl/s3_clnt.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Jun 2014 13:55:11 -0400
openssl (1.0.1f-1ubuntu2.3) trusty-security; urgency=medium
* SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297)
- debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
tls_session_secret_cb for session resumption in ssl/s3_clnt.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 12 Jun 2014 08:29:16 -0400
openssl (1.0.1f-1ubuntu2.2) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
* SECURITY UPDATE: denial of service via DTLS recursion flaw
- debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
recursion in ssl/d1_both.c.
- CVE-2014-0221
* SECURITY UPDATE: MITM via change cipher spec
- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
ssl/s3_clnt.c.
- CVE-2014-0224
* SECURITY UPDATE: denial of service via ECDH null session cert
- debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
before dereferencing it in ssl/s3_clnt.c.
- CVE-2014-3470
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 02 Jun 2014 13:57:34 -0400
openssl (1.0.1f-1ubuntu2.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via use after free
- debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before
releasing buffers in ssl/s3_pkt.c.
- CVE-2010-5298
* SECURITY UPDATE: denial of service via null pointer dereference
- debian/patches/CVE-2014-0198.patch: if buffer was released, get a new
one in ssl/s3_pkt.c.
- CVE-2014-0198
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 May 2014 15:23:01 -0400
openssl (1.0.1f-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
- debian/patches/CVE-2014-0076.patch: add and use constant time swap in
crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
util/libeay.num.
- CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
- debian/patches/CVE-2014-0160.patch: use correct lengths in
ssl/d1_both.c, ssl/t1_lib.c.
- CVE-2014-0160
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 07 Apr 2014 15:37:53 -0400
openssl (1.0.1f-1ubuntu1) trusty; urgency=low
* Merge with Debian, remaining changes.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
code.
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* Dropped changes:
- debian/patches/arm64-support: included in debian-targets.patch
- debian/patches/no_default_rdrand.patch: upstream
- debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely
disabled in debian/rules
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 08 Jan 2014 15:57:24 -0500
openssl (1.0.1f-1) unstable; urgency=high
* New upstream version
- Fix for TLS record tampering bug CVE-2013-4353
- Drop the snapshot patch
* update watch file to check for upstream signature and add upstream pgp key.
* Drop conflicts against openssh since we now on a released version again.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 18:50:54 +0100
openssl (1.0.1e-6) unstable; urgency=medium
* Add Breaks: openssh-client (<< 1:6.4p1-1.1), openssh-server (<<
1:6.4p1-1.1). This is to prevent people running into #732940.
This Breaks can be removed again when we stop using a git snapshot.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 23 Dec 2013 15:19:17 +0100
openssl (1.0.1e-5) unstable; urgency=low
* Change default digest to SHA256 instead of SHA1. (Closes: #694738)
* Drop support for multiple certificates in 1 file. It never worked
properly in the first place, and the only one shipping in
ca-certificates has been split.
* Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
* Remove make-targets.patch. It prevented the test dir from being cleaned.
* Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
- Fixes CVE-2013-6449 (Closes: #732754)
- Fixes CVE-2013-6450
- Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
dtls_version.patch get_certificate.patch, since they where all
already commited upstream.
- adjust fix-pod-errors.patch for the reordering of items in the
documentation they've done trying to fix those pod errors.
- disable rdrand engine by default (Closes: #732710)
* disable zlib support. Fixes CVE-2012-4929 (Closes: #728055)
* Add arm64 support (Closes: #732348)
* Properly use the default number of bits in req when none are given
-- Kurt Roeckx <kurt@roeckx.be> Sun, 22 Dec 2013 19:25:35 +0100
openssl (1.0.1e-4ubuntu4) trusty; urgency=low
* debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
default unless explicitly requested.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Dec 2013 15:39:22 -0500
openssl (1.0.1e-4ubuntu3) trusty; urgency=medium
* Update debian configuration.
-- Matthias Klose <doko@ubuntu.com> Thu, 05 Dec 2013 14:34:48 +0100
openssl (1.0.1e-4ubuntu2) trusty; urgency=low
* Re-enable full TLSv1.2 support (LP: #1257877)
- debian/patches/tls12_workarounds.patch: disable patch to re-enable
full TLSv1.2 support. Most problematic sites have been fixed now, and
we really want proper TLSv1.2 support in an LTS.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 04 Dec 2013 12:33:44 -0500
openssl (1.0.1e-4ubuntu1) trusty; urgency=low
* Merge with Debian; remaining changes same as in 1.0.1e-3ubuntu1.
-- Matthias Klose <doko@ubuntu.com> Wed, 04 Dec 2013 11:28:00 +0100
openssl (1.0.1e-4) unstable; urgency=low
[ Peter Michael Green ]
* Fix pod errors (Closes: #723954)
* Fix clean target
[ Kurt Roeckx ]
* Add mipsn32 and mips64 targets. Patch from Eleanor Chen
<chenyueg@gmail.com> (Closes: #720654)
* Add support for nocheck in DEB_BUILD_OPTIONS
* Update Norwegian translation (Closes: #653574)
* Update description of the packages. Patch by Justin B Rye
(Closes: #719262)
* change to debhelper compat level 9:
- change dh_strip call so only the files from libssl1.0.0 get debug
symbols.
- change dh_makeshlibs call so the engines don't get added to the
shlibs
* Update Standards-Version from 3.8.0 to 3.9.5. No changes required.
-- Kurt Roeckx <kurt@roeckx.be> Fri, 01 Nov 2013 17:11:53 +0100
openssl (1.0.1e-3ubuntu1) saucy; urgency=low
* Merge with Debian, remaining changes.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
code.
- debian/patches/arm64-support: Add basic arm64 support (no assembler)
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
in test suite since we disable it in the client.
* Disable compression to avoid CRIME systemwide (CVE-2012-4929).
* Dropped changes:
- debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian.
-- Matthias Klose <doko@ubuntu.com> Mon, 15 Jul 2013 14:07:52 +0200
openssl (1.0.1e-3) unstable; urgency=low
* Move <openssl/opensslconf.h> to /usr/include/$(DEB_HOST_MULTIARCH), and
mark libssl-dev Multi-Arch: same.
Patch by Colin Watson <cjwatson@ubuntu.com> (Closes: #689093)
* Add Polish translation (Closes: #658162)
* Add Turkish translation (Closes: #660971)
* Enable assembler for the arm targets, and remove armeb.
Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533)
* Add support for x32 (Closes: #698406)
* enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 20 May 2013 16:56:06 +0200
openssl (1.0.1e-2ubuntu1.1) saucy-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
zlib to compress SSL/TLS unless the environment variable
OPENSSL_DEFAULT_ZLIB is set in the environment during library
initialization.
- Introduced to assist with programs not yet updated to provide their own
controls on compression, such as Postfix
- http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch
-- Seth Arnold <seth.arnold@canonical.com> Mon, 03 Jun 2013 18:14:05 -0700
openssl (1.0.1e-2ubuntu1) saucy; urgency=low
* Resynchronise with Debian unstable. Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
code.
- debian/patches/arm64-support: Add basic arm64 support (no assembler)
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
in test suite since we disable it in the client.
* Dropped changes:
- debian/patches/CVE-2013-0169.patch: upstream.
- debian/patches/fix_key_decoding_deadlock.patch: upstream.
- debian/patches/CVE-2013-0166.patch: upstream.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 May 2013 16:31:47 -0400
openssl (1.0.1e-2) unstable; urgency=high
* Bump shlibs. It's needed for the udeb.
* Make cpuid work on cpu's that don't set ecx (Closes: #699692)
* Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
* Fix problem with DTLS version check (Closes: #701826)
* Fix segfault in SSL_get_certificate (Closes: #703031)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 18 Mar 2013 20:37:11 +0100
openssl (1.0.1e-1) unstable; urgency=high
* New upstream version (Closes: #699889)
- Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
- Drop renegiotate_tls.patch, applied upstream
- Export new CRYPTO_memcmp symbol, update symbol file
* Add ssltest_no_sslv2.patch so that "make test" works.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 11 Feb 2013 19:39:44 +0100
openssl (1.0.1c-5) unstable; urgency=low
* Re-enable assembler versions on sparc. They shouldn't have
been disabled for sparc v9. (Closes: #649841)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 09 Sep 2012 08:43:40 +0200
openssl (1.0.1c-4ubuntu8) raring; urgency=low
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
commit from upstream to fix regression.
- CVE-2013-0169
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Mar 2013 14:33:14 -0400
openssl (1.0.1c-4ubuntu7) raring; urgency=low
* Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)
-- Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com> Thu, 07 Mar 2013 15:36:16 +0000
openssl (1.0.1c-4ubuntu6) raring; urgency=low
* debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
when decoding public keys. (LP: #1066032)
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 06 Mar 2013 08:11:19 -0500
openssl (1.0.1c-4ubuntu5) raring; urgency=low
* REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
LP: #1133333)
- debian/patches/CVE-2013-0169.patch: disabled for now until fix is
available from upstream.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 28 Feb 2013 11:01:29 -0500
openssl (1.0.1c-4ubuntu4) raring; urgency=low
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/CVE-2013-0166.patch: properly handle NULL key in
crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via AES-NI and crafted CBC data
- Fix included in CVE-2013-0169 patch
- CVE-2012-2686
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2013 13:25:24 -0500
openssl (1.0.1c-4ubuntu3) raring; urgency=low
* Add basic arm64 support (no assembler) (LP: #1102107)
-- Wookey <wookey@wookware.org> Sun, 20 Jan 2013 17:30:15 +0000
openssl (1.0.1c-4ubuntu2) raring; urgency=low
* Enable arm assembly code. (LP: #1083498) (Closes: #676533)
-- Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com> Wed, 28 Nov 2012 00:08:45 +0000
openssl (1.0.1c-4ubuntu1) raring; urgency=low
* Resynchronise with Debian (LP: #1077228). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
* Dropped changes:
- Drop openssl-doc in favour of the libssl-doc package introduced by
Debian. Add Conflicts/Replaces until the next LTS release.
+ Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS
release'
-- Tyler Hicks <tyhicks@canonical.com> Fri, 09 Nov 2012 14:49:13 -0800
openssl (1.0.1c-4) unstable; urgency=low
* Fix the configure rules for alpha (Closes: #672710)
* Switch the postinst to sh again, there never was a reason to
switch it to bash (Closes: #676398)
* Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
preprocessed. We generate the file again for pic anyway.
(Closes: #677468)
* Drop Breaks against openssh as it was only for upgrades
between versions that were only in testing/unstable.
(Closes: #668600)
-- Kurt Roeckx <kurt@roeckx.be> Tue, 17 Jul 2012 11:49:19 +0200
openssl (1.0.1c-3ubuntu2) quantal; urgency=low
[ Tyler Hicks <tyhicks@canonical.com> ]
* debian/patches/tls12_workarounds.patch: Readd the change to check
TLS1_get_client_version rather than TLS1_get_version to fix incorrect
client hello cipher list truncation when TLS 1.1 and lower is in use.
(LP: #1051892)
[ Micah Gersten <micahg@ubuntu.com> ]
* Mark Debian Vcs-* as XS-Debian-Vcs-*
- update debian/control
-- Tyler Hicks <tyhicks@canonical.com> Thu, 04 Oct 2012 10:34:57 -0700
openssl (1.0.1c-3ubuntu1) quantal; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- debian/patches/tls12_workarounds.patch: workaround large client hello
issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and
with -DOPENSSL_NO_TLS1_2_CLIENT.
* Dropped upstreamed patches:
- debian/patches/CVE-2012-2110.patch
- debian/patches/CVE-2012-2110b.patch
- debian/patches/CVE-2012-2333.patch
- debian/patches/CVE-2012-0884-extra.patch
- most of debian/patches/tls12_workarounds.patch
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Jun 2012 13:01:30 -0400
openssl (1.0.1c-3) unstable; urgency=low
* Disable padlock engine again, causes problems for hosts not supporting it.
-- Kurt Roeckx <kurt@roeckx.be> Wed, 06 Jun 2012 18:29:37 +0200
openssl (1.0.1c-2) unstable; urgency=high
* Fix renegiotation when using TLS > 1.0. This breaks tor. Patch from
upstream. (Closes: #675990)
* Enable the padlock engine by default.
* Change default bits from 1024 to 2048 (Closes: #487152)
-- Kurt Roeckx <kurt@roeckx.be> Wed, 06 Jun 2012 00:55:42 +0200
openssl (1.0.1c-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-2333 (Closes: #672452)
-- Kurt Roeckx <kurt@roeckx.be> Fri, 11 May 2012 18:44:51 +0200
openssl (1.0.1b-1) unstable; urgency=high
* New upstream version
- Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
can talk to servers supporting TLS 1.1 but not TLS 1.2
- Drop rc4_hmac_md5.patch, applied upstream
-- Kurt Roeckx <kurt@roeckx.be> Thu, 26 Apr 2012 23:34:34 +0200
openssl (1.0.1a-3) unstable; urgency=low
* Use patch from upstream for the rc4_hmac_md5 issue.
-- Kurt Roeckx <kurt@roeckx.be> Thu, 19 Apr 2012 23:16:30 +0200
openssl (1.0.1a-2) unstable; urgency=low
* Fix rc4_hmac_md5 on non-i386/amd64 arches.
-- Kurt Roeckx <kurt@roeckx.be> Thu, 19 Apr 2012 21:54:42 +0200
openssl (1.0.1a-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-2110
- Fix crash in rc4_hmac_md5 (Closes: #666405)
- Fixes some issues with talking to other servers when TLS 1.1 and 1.2 is
supported
- Drop patches no_ssl2.patch vpaes.patch tls1.2_client_algorithms.patch,
applied upstream.
-- Kurt Roeckx <kurt@roeckx.be> Thu, 19 Apr 2012 19:54:12 +0200
openssl (1.0.1-4ubuntu6) quantal; urgency=low
* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
TLS v1.2 implementation
- debian/patches/CVE_2012-2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen
properly when encrypting CMS messages.
-- Steve Beattie <sbeattie@ubuntu.com> Thu, 24 May 2012 16:05:04 -0700
openssl (1.0.1-4ubuntu5) precise-proposed; urgency=low
* debian/patches/CVE-2012-2110b.patch: Use correct error code in
BUF_MEM_grow_clean()
-- Jamie Strandboge <jamie@ubuntu.com> Tue, 24 Apr 2012 08:29:32 -0500
openssl (1.0.1-4ubuntu4) precise-proposed; urgency=low
* Check TLS1_get_client_version rather than TLS1_get_version for client
hello cipher list truncation, in a further attempt to get things working
again for everyone (LP: #986147).
-- Colin Watson <cjwatson@ubuntu.com> Tue, 24 Apr 2012 14:05:50 +0100
openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low
* SECURITY UPDATE: fix various overflows
- debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
crypto/buffer.c and crypto/mem.c to verify size of lengths
- CVE-2012-2110
-- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -0500
openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low
* Backport more upstream patches to work around TLS 1.2 failures
(LP #965371):
- Do not use record version number > TLS 1.0 in initial client hello:
some (but not all) hanging servers will now work.
- Truncate the number of ciphers sent in the client hello to 50. Most
broken servers should now work.
- Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
sites listed in the above bug and its duplicates still fail if I do that
versus leaving it disabled.
-- Colin Watson <cjwatson@ubuntu.com> Wed, 18 Apr 2012 15:03:56 +0100
openssl (1.0.1-4ubuntu1) precise; urgency=low
* Resynchronise with Debian (LP: #968753). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- Experimental workaround to large client hello issue: if
OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
only.
- Compile with -DOPENSSL_NO_TLS1_2_CLIENT.
-- Colin Watson <cjwatson@ubuntu.com> Tue, 10 Apr 2012 20:50:52 +0100
openssl (1.0.1-4) unstable; urgency=low
* Use official patch for the vpaes problem, also covering amd64.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 31 Mar 2012 20:54:13 +0200
openssl (1.0.1-3) unstable; urgency=high
* Fix crash in vpaes (Closes: #665836)
* use client version when deciding whether to send supported signature
algorithms extension
-- Kurt Roeckx <kurt@roeckx.be> Sat, 31 Mar 2012 18:35:59 +0200
openssl (1.0.1-2ubuntu4) precise; urgency=low
* Pass cross-compiling options to 'make install' as well, since apparently
it likes to rebuild fips_premain_dso.
-- Colin Watson <cjwatson@ubuntu.com> Sat, 31 Mar 2012 00:48:38 +0100
openssl (1.0.1-2ubuntu3) precise; urgency=low
* Temporarily work around TLS 1.2 failures as suggested by upstream
(LP #965371):
- Use client version when deciding whether to send supported signature
algorithms extension.
- Experimental workaround to large client hello issue: if
OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
only.
- Compile with -DOPENSSL_NO_TLS1_2_CLIENT.
This fixes most of the reported problems, but does not fix the case of
servers that reject version numbers they don't support rather than
trying to negotiate a lower version (e.g. www.mediafire.com).
-- Colin Watson <cjwatson@ubuntu.com> Fri, 30 Mar 2012 17:11:45 +0100
openssl (1.0.1-2ubuntu2) precise; urgency=low
* Remove compat symlinks from /usr/lib to /lib, as they cause
some serious issued with symbol generation, and are not needed.
* Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
-- Adam Conrad <adconrad@ubuntu.com> Fri, 23 Mar 2012 21:39:39 -0600
openssl (1.0.1-2ubuntu1) precise; urgency=low
* Resynchronise with Debian (LP: #958430). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
* Drop aesni.patch, applied upstream.
* Drop Bsymbolic-functions.patch, now handled using dpkg-buildflags.
-- Colin Watson <cjwatson@ubuntu.com> Thu, 22 Mar 2012 17:54:09 +0000
openssl (1.0.1-2) unstable; urgency=low
* Properly quote the new cflags in Configure
-- Kurt Roeckx <kurt@roeckx.be> Mon, 19 Mar 2012 19:56:05 +0100
openssl (1.0.1-1) unstable; urgency=low
* New upstream version
- Remove kfreebsd-pipe.patch, fixed upstream
- Update pic.patch, openssl-pod-misspell.patch and make-targets.patch
- Add OPENSSL_1.0.1 to version-script.patch and libssl1.0.0.symbols for
the new functions.
- AES-NI support (Closes: #644743)
* pic.patch: upstream made OPENSSL_ia32cap_P and OPENSSL_cpuid_setup
hidden on amd64, no need to access it PIC anymore.
* pic.patch: Make OPENSSL_ia32cap_P hidden on i386 too (Closes: #663977)
* Enable hardening using dpkg-buildflags (Closes: #653495)
* s_client and s_server were forcing SSLv3 only connection when SSLv2 was
disabled instead of the SSLv2 with upgrade method. (Closes: #664454)
* Add Breaks on openssh < 1:5.9p1-4, it has a too strict version check.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 19 Mar 2012 18:23:32 +0100
openssl (1.0.0h-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-0884
- Fixes CVE-2012-1165
- Properly fix CVE-2011-4619
- pkg-config.patch applied upstream, remove it.
* Enable assembler for all i386 arches. The assembler does proper
detection of CPU support, including cpuid support.
This should fix a problem with AES 192 and 256 with the padlock
engine because of the difference in NO_ASM between the between
the i686 optimized library and the engine.
-- Kurt Roeckx <kurt@roeckx.be> Tue, 13 Mar 2012 21:08:17 +0100
openssl (1.0.0g-1ubuntu1) precise; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/aesni.patch: Backport Intel AES-NI support, now from
http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
0.9.8 variant.
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates
rather than exactly one.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sat, 11 Feb 2012 13:27:31 -0500
openssl (1.0.0g-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-0050
-- Kurt Roeckx <kurt@roeckx.be> Wed, 18 Jan 2012 20:46:13 +0100
openssl (1.0.0f-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2011-4108, CVE-2011-4576, CVE-2011-4619, CVE-2012-0027,
CVE-2011-4577
-- Kurt Roeckx <kurt@roeckx.be> Thu, 12 Jan 2012 19:02:43 +0100
openssl (1.0.0e-3ubuntu1) precise; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/aesni.patch: Backport Intel AES-NI support, now from
http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
0.9.8 variant.
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates
rather than exactly one.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 12 Jan 2012 11:30:17 +0100
openssl (1.0.0e-3) unstable; urgency=low
* Don't build v8 and v9 variants of sparc anymore, they're older than
the default. (Closes: #649841)
* Don't build i486 optimized version, that's the default anyway, and
it uses assembler that doesn't always work on i486.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 28 Nov 2011 22:17:26 +0100
openssl (1.0.0e-2.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
as revoked.
-- Raphael Geissert <geissert@debian.org> Sun, 06 Nov 2011 01:39:30 -0600
openssl (1.0.0e-2ubuntu4) oneiric; urgency=low
* The previous change moved the notification to major upgrades only, but
in fact, we do want the sysadmin to be notified when security updates
are installed, without having services automatically restarted.
(LP: #244250)
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2011 09:31:22 -0400
openssl (1.0.0e-2ubuntu3) oneiric; urgency=low
* Only issue a restart required notification on important upgrades, and
not other actions such as reconfiguration or initial installation.
(LP: #244250)
-- Anders Kaseorg <andersk@mit.edu> Tue, 04 Oct 2011 13:33:35 +0100
openssl (1.0.0e-2ubuntu2) oneiric; urgency=low
* Unapply patch c_rehash-multi and comment it out in the series as it breaks
parsing of certificates with CRLF line endings and other cases (see
Debian #642314 for discussion), it also changes the semantics of c_rehash
directories by requiring applications to parse hash link targets as files
containing potentially *multiple* certificates rather than exactly one.
LP: #855454.
-- Loïc Minier <loic.minier@ubuntu.com> Tue, 27 Sep 2011 18:13:07 +0200
openssl (1.0.0e-2ubuntu1) oneiric; urgency=low
* Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and
CVE-2011-3210 (LP: #850608). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification bubble on libssl1.0.0
upgrade.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/aesni.patch: Backport Intel AES-NI support, now from
http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
0.9.8 variant.
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i486, i586 (on
i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
* debian/libssl1.0.0.postinst: only display restart notification on
servers (LP: #244250)
-- Steve Beattie <sbeattie@ubuntu.com> Wed, 14 Sep 2011 22:06:03 -0700
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_MULTIARCH)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 10 Sep 2011 17:02:29 +0200
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <geissert@debian.org>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <Klaus@Ethgen.de>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <khimov@altell.ru>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <aurel32@debian.org>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 10 Sep 2011 12:03:13 +0200
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
* Apply patches from Scott Schaefer <saschaefer@neurodiverse.org> to
fix various pod and spelling errors. (Closes: #622820, #605561)
* Add missing symbols for the engines (Closes: #623038)
* More spelling fixes from Scott Schaefer (Closes: #395424)
* Patch from Scott Schaefer to better document pkcs12 password options
(Closes: #462489)
* Document dgst -hmac option. Patch by Thorsten Glaser <tg@mirbsd.de>
(Closes: #529586)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 13 Jun 2011 12:39:54 +0200
openssl (1.0.0d-2ubuntu2) oneiric; urgency=low
* Build for multiarch. LP: #826601.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 15 Aug 2011 01:58:35 -0700
openssl (1.0.0d-2ubuntu1) oneiric; urgency=low
* Resynchronise with Debian (LP: #675566). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification bubble on libssl1.0.0
upgrade.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/aesni.patch: Backport Intel AES-NI support, now from
http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
0.9.8 variant.
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i486, i586 (on
i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
* Update architectures affected by Bsymbolic-functions.patch.
* Drop debian/patches/no-sslv2.patch; Debian now adds the 'no-ssl2'
configure option, which compiles out SSLv2 support entirely, so this is
no longer needed.
* Drop openssl-doc in favour of the libssl-doc package introduced by
Debian. Add Conflicts/Replaces until the next LTS release.
-- Colin Watson <cjwatson@ubuntu.com> Sun, 01 May 2011 23:51:53 +0100
openssl (1.0.0d-2) unstable; urgency=high
* Make c_rehash also generate the old subject hash. Gnutls applications
seem to require it. (Closes: #611102)
-- Kurt Roeckx <kurt@roeckx.be> Wed, 13 Apr 2011 22:36:49 +0200
openssl (1.0.0d-1) unstable; urgency=low
* New upstream version
- Fixes CVE-2011-0014
* Make libssl-doc Replaces/Breaks with old libssl-dev packages
(Closes: #607609)
* Only export the symbols we should, instead of all.
* Add symbol file.
* Upload to unstable
-- Kurt Roeckx <kurt@roeckx.be> Sat, 02 Apr 2011 13:19:19 +0000
openssl (1.0.0c-2) experimental; urgency=low
* Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
* Always define _GNU_SOURCE, not only for Linux.
* Drop SSL2 support (Closes: #589706)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 19 Dec 2010 16:24:16 +0100
openssl (1.0.0c-1) experimental; urgency=low
* New upstream version (Closes: #578376)
- New soname: Rename library packages
- Drop patch perl-path.diff, not needed anymore
- Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch
and CVE-2010-4180.patch: applied upstream.
- Update Configure for the new fields for the assembler options
per arch. alpha now makes use of assembler.
* Move man3 manpages and demos to libssl-doc (Closes: #470594)
* Drop .pod files from openssl package (Closes: #518167)
* Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch
* Stop using BF_PTR2 on (kfreebd-)amd64.
* Drop debian-arm from the list of arches.
* Update arm arches to use BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
BF_PTR instead of BN_LLONG DES_RISC1
* ia64: Drop RC4_CHAR, add DES_UNROLL DES_INT
* powerpc: Use RC4_CHAR RC4_CHUNK DES_RISC1 instead
of DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX
* s390: Use RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL instead of BN_LLONG
-- Kurt Roeckx <kurt@roeckx.be> Sun, 12 Dec 2010 15:37:21 +0100
openssl (0.9.8o-5ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes: (LP: #718205)
- d/libssl0.9.8.postinst:
+ Display a system restart required notification bubble
on libssl0.9.8 upgrade.
+ Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade
is being performed.
- d/{libssl0.9.8-udeb.dirs, control, rules}: Create
libssl0.9.8-udeb, for the benefit of wget-udeb (no wget-udeb
package in Debian).
- d/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files,
rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant.
- d/{control, openssl-doc.docs, openssl.docs, openssl.dirs}:
+ Ship documentation in openssl-doc, suggested by the package.
(Closes: #470594)
- d/p/aesni.patch: Backport Intel AES-NI support from
http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
- d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions.
- d/p/perlpath-quilt.patch: Don't change perl #! paths under .pc.
- d/p/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS.
The protocol is unsafe and extremely deprecated. (Closes: #589706)
- d/rules:
+ Disable SSLv2 during compile. (Closes: #589706)
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
(Closes: #465248)
+ Don't build for processors no longer supported: i486, i586
(on i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
(Closes: #611667)
+ Replace duplicate files in the doc directory with symlinks.
* This upload fixed CVE: (LP: #718208)
- CVE-2011-0014
-- Artur Rona <ari-tczew@ubuntu.com> Sun, 13 Feb 2011 16:10:24 +0100
openssl (0.9.8o-5) unstable; urgency=low
* Fix OCSP stapling parse error (CVE-2011-0014)
-- Kurt Roeckx <kurt@roeckx.be> Thu, 10 Feb 2011 20:43:43 +0100
openssl (0.9.8o-4ubuntu2) natty; urgency=low
[ Peter Pearse ]
* Fix Makefile to properly clean up libs/ dirs in clean target
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 31 Jan 2011 10:47:30 -0800
openssl (0.9.8o-4ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes: (LP: #693902)
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Don't build for processors no longer supported: i486, i586
(on i386), v8 (on sparc).
- Create libssl0.9.8-udeb, for the benefit of wget-udeb (no
wget-udeb package in Debian).
- Replace duplicate files in the doc directory with symlinks.
- Move runtime libraries to /lib, for the benefit of wpasupplicant.
- Ship documentation in openssl-doc, suggested by the package.
(Closes: #470594)
- Use host compiler when cross-building. Patch from Neil Williams.
(Closes: #465248).
- Don't run 'make test' when cross-building.
- debian/patches/aesni.patch: Backport Intel AES-NI support from
http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths
under .pc.
- debian/patches/no-sslv2.patch: disable SSLv2 to match NSS
and GnuTLS. The protocol is unsafe and extremely deprecated.
(Closes: #589706)
-- Artur Rona <ari-tczew@ubuntu.com> Thu, 23 Dec 2010 20:20:03 +0100
openssl (0.9.8o-4) unstable; urgency=low
* Fix CVE-2010-4180 (Closes: #529221)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Dec 2010 20:33:21 +0100
openssl (0.9.8o-3ubuntu1) natty; urgency=low
* Merge from debian unstable (LP: #677756). Remaining changes:
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions (refreshed)
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Don't build for processors no longer supported: i486, i586
(on i386), v8 (on sparc).
- Create libssl0.9.8-udeb, for the benefit of wget-udeb (no
wget-udeb package in Debian)
- Replace duplicate files in the doc directory with symlinks.
- Move runtime libraries to /lib, for the benefit of wpasupplicant
- Ship documentation in openssl-doc, suggested by the package.
(Debian bug 470594)
- Use host compiler when cross-building (patch from Neil Williams in
Debian bug 465248).
- Don't run 'make test' when cross-building.
- debian/patches/aesni.patch: Backport Intel AES-NI support from
http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths
under .pc.
- debian/patches/no-sslv2.patch: disable SSLv2 to match NSS
and GnuTLS. The protocol is unsafe and extremely deprecated.
(Debian bug 589706)
* Dropped patches, now upstream:
- debian/patches/CVE-2010-2939.patch (Debian patch is identically
named)
-- Steve Beattie <sbeattie@ubuntu.com> Thu, 18 Nov 2010 12:54:37 -0800
openssl (0.9.8o-3) unstable; urgency=high
* Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
* Re-add the engines. They were missing since 0.9.8m-1.
Patch by Joerg Schneider. (Closes: #603693)
* Not all architectures were build using -g (Closes: #570702)
* Add powerpcspe support (Closes: #579805)
* Add armhf support (Closes: #596881)
* Update translations:
- Brazilian Portuguese (Closes: #592154)
- Danish (Closes: #599459)
- Vietnamese (Closes: #601536)
- Arabic (Closes: #596166)
* Generate the proper stamp file so that everything doesn't get build twice.
-- Kurt Roeckx <kurt@roeckx.be> Tue, 16 Nov 2010 19:20:55 +0100
openssl (0.9.8o-2) unstable; urgency=high
* Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)
-- Kurt Roeckx <kurt@roeckx.be> Thu, 26 Aug 2010 18:25:29 +0200
openssl (0.9.8o-1ubuntu4.1) maverick-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
crafted private key with an invalid prime.
- debian/patches/CVE-2010-2939.patch: set bn_ctx to NULL after freeing
it in ssl/s3_clnt.c.
- CVE-2010-2939
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 06 Oct 2010 16:46:36 -0400
openssl (0.9.8o-1ubuntu4) maverick; urgency=low
* Update AES-NI patch to openssl-0.9.8-aesni-modes-perlasm-win32-v4.patch
from http://rt.openssl.org/Ticket/Display.html?id=2067, fixing segfault
on engine initialisation (LP: #590639).
-- Colin Watson <cjwatson@ubuntu.com> Fri, 24 Sep 2010 12:20:49 +0100
openssl (0.9.8o-1ubuntu3) maverick; urgency=low
* debian/patches/no-sslv2.patch: disable SSLv2 to match NSS and GnuTLS.
The protocol is unsafe and extremely deprecated. (Debian bug 589706)
-- Kees Cook <kees@ubuntu.com> Tue, 20 Jul 2010 08:24:13 -0700
openssl (0.9.8o-1ubuntu2) maverick; urgency=low
* Don't build anymore for processors not supported anymore in maverick:
- i486, i586 (on i386).
- v8 (on sparc).
-- Matthias Klose <doko@ubuntu.com> Mon, 19 Jul 2010 16:44:10 +0200
openssl (0.9.8o-1ubuntu1) maverick; urgency=low
* Merge from debian unstable, remaining changes (LP: #581167):
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions
- Ship documentation in openssl-doc, suggested by the package.
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Replace duplicate files in the doc directory with symlinks.
- Move runtime libraries to /lib, for the benefit of wpasupplicant
- Use host compiler when cross-building (patch from Neil Williams in
Debian #465248).
- Don't run 'make test' when cross-building.
- Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339).
- debian/patches/aesni.patch: Backport Intel AES-NI support from
http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518).
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths
under .pc.
* Dropped patches, now upstream:
- debian/patches/CVE-2009-3245.patch
- debian/patches/CVE-2010-0740.patch
- debian/patches/dtls-compatibility.patch
- debian/patches/CVE-2009-4355.patch
* Dropped "Add support for lpia".
* Dropped "Disable SSLv2 during compile" as this had never actually
disabled SSLv2.
* Don't disable CVE-2009-3555.patch for Maverick.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Jun 2010 09:08:29 -0400
openssl (0.9.8o-1) unstable; urgency=low
* New upstream version
- Add SHA2 algorithms to SSL_library_init().
- aes-x86_64.pl is now PIC, update pic.patch.
* Add sparc64 support (Closes: #560240)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 18 Apr 2010 01:42:44 +0200
openssl (0.9.8n-1) unstable; urgency=high
* New upstream version.
- Fixes CVE-2010-0740.
- Drop cfb.patch, applied upstream.
-- Kurt Roeckx <kurt@roeckx.be> Thu, 25 Mar 2010 20:30:52 +0100
openssl (0.9.8m-2) unstable; urgency=low
* Revert CFB block length change preventing reading older files.
(Closes: #571810, #571940)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 28 Feb 2010 22:08:49 +0100
openssl (0.9.8m-1) unstable; urgency=low
* New upstream version
- Implements RFC5746, reenables renegotiation but requires the extension.
- Fixes CVE-2009-3245
- Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
no_check_self_signed.patch: applied upstream
- pk7_mime_free.patch removed, code rewritten
- ca.diff partially applied upstream
- engines-path.patch adjusted, upstream made some minor changes to the
build system.
- some flags changed values, bump shlibs.
* Switch to 3.0 (quilt) source package.
* Make sure the package is properly cleaned.
* Add ${misc:Depends} to the Depends on all packages.
* Fix spelling of extension in the changelog file.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 27 Feb 2010 12:24:03 +0000
openssl (0.9.8k-8) unstable; urgency=high
* Clean up zlib state so that it will be reinitialized on next use and
not cause a memory leak. (CVE-2009-4355, CVE-2008-1678)
-- Kurt Roeckx <kurt@roeckx.be> Wed, 13 Jan 2010 21:26:49 +0100
openssl (0.9.8k-7ubuntu8) lucid; urgency=low
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via unchecked return values
- debian/patches/CVE-2009-3245.patch: check bn_wexpand return value in
crypto/bn/{bn_div.c,bn_gf2m.c,bn_mul.c}, crypto/ec/ec2_smpl.c,
engines/e_ubsec.c.
- CVE-2009-3245
* SECURITY UPDATE: denial of service via "record of death"
- debian/patches/CVE-2010-0740.patch: only send back minor version
number in ssl/s3_pkt.c.
- CVE-2010-0740
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 30 Mar 2010 08:57:51 -0400
openssl (0.9.8k-7ubuntu7) lucid; urgency=low
* debian/patches/dtls-compatibility.patch: backport dtls compatibility
code from 0.9.8m to fix interopability. (LP: #516318)
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Mar 2010 08:31:09 -0400
openssl (0.9.8k-7ubuntu6) lucid; urgency=low
* Backport Intel AES-NI support from
http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518).
* Don't change perl #! paths under .pc.
-- Colin Watson <cjwatson@ubuntu.com> Mon, 01 Feb 2010 15:40:27 -0800
openssl (0.9.8k-7ubuntu5) lucid; urgency=low
* SECURITY UPDATE: memory leak possible during state clean-up.
- Add CVE-2009-4355.patch, upstream fixes thanks to Debian.
-- Kees Cook <kees@ubuntu.com> Fri, 22 Jan 2010 09:50:01 -0800
openssl (0.9.8k-7ubuntu4) lucid; urgency=low
* Use host compiler when cross-building (patch from Neil Williams in
Debian #465248).
* Don't run 'make test' when cross-building.
* Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339).
-- Colin Watson <cjwatson@ubuntu.com> Tue, 05 Jan 2010 16:09:38 +0000
openssl (0.9.8k-7ubuntu3) lucid; urgency=low
* debian/patches/disable-sslv2.patch: remove and apply inline to fix
FTBFS when patch won't revert during the build process.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 07 Dec 2009 21:00:47 -0500
openssl (0.9.8k-7ubuntu2) lucid; urgency=low
* debian/patches/{disable-sslv2,Bsymbolic-functions}.patch: apply
Makefile sections inline as once the package is configured during the
build process, the patches wouldn't revert anymore, causing a FTBFS on
anything other than amd64.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 07 Dec 2009 19:52:15 -0500
openssl (0.9.8k-7ubuntu1) lucid; urgency=low
* Merge from debian unstable, remaining changes (LP: #493392):
- Link using -Bsymbolic-functions
- Add support for lpia
- Disable SSLv2 during compile
- Ship documentation in openssl-doc, suggested by the package.
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Replace duplicate files in the doc directory with symlinks.
- Move runtime libraries to /lib, for the benefit of wpasupplicant
* Strip the patches out of the source into quilt patches
* Disable CVE-2009-3555.patch
-- Nicolas Valcárcel Scerpella (Canonical) <nvalcarcel@canonical.com> Sun, 06 Dec 2009 20:16:24 -0500
openssl (0.9.8k-7) unstable; urgency=low
* Bump the shlibs to require 0.9.8k-1. The following symbols
to added between g and k: AES_wrap_key, AES_unwrap_key,
ASN1_TYPE_set1, ASN1_STRING_set0, asn1_output_data_fn,
SMIME_read_ASN1, BN_X931_generate_Xpq, BN_X931_derive_prime_ex,
BN_X931_generate_prime_ex, COMP_zlib_cleanup, CRYPTO_malloc_debug_init,
int_CRYPTO_set_do_dynlock_callback, CRYPTO_set_mem_info_functions,
CRYPTO_strdup, CRYPTO_dbg_push_info, CRYPTO_dbg_pop_info,
CRYPTO_dbg_remove_all_info, OPENSSL_isservice, OPENSSL_init,
ENGINE_set_load_ssl_client_cert_function,
ENGINE_get_ssl_client_cert_function, ENGINE_load_ssl_client_cert,
EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags,
EVP_CIPHER_CTX_test_flags, HMAC_CTX_set_flags, OCSP_sendreq_new
OCSP_sendreq_nbio, OCSP_REQ_CTX_free, RSA_X931_derive_ex,
RSA_X931_generate_key_ex, X509_ALGOR_set0, X509_ALGOR_get0,
X509at_get0_data_by_OBJ, X509_get1_ocsp
-- Kurt Roeckx <kurt@roeckx.be> Sat, 28 Nov 2009 14:34:26 +0100
openssl (0.9.8k-6) unstable; urgency=low
* Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
-- Kurt Roeckx <kurt@roeckx.be> Thu, 12 Nov 2009 18:10:31 +0000
openssl (0.9.8k-5) unstable; urgency=low
* Don't check self signed certificate signatures in X509_verify_cert()
(Closes: #541735)
-- Kurt Roeckx <kurt@roeckx.be> Fri, 11 Sep 2009 15:42:32 +0200
openssl (0.9.8k-4) unstable; urgency=low
* Split all the patches into a separate files
* Stop undefinging HZ, the issue on alpha should be fixed.
* Remove MD2 from digest algorithm table. (CVE-2009-2409) (Closes: #539899)
-- Kurt Roeckx <kurt@roeckx.be> Tue, 11 Aug 2009 21:19:18 +0200
openssl (0.9.8k-3) unstable; urgency=low
* Make rc4-x86_64 PIC. Based on patch from Petr Salinger (Closes: #532336)
* Add workaround for kfreebsd that can't see the different between
two pipes. Patch from Petr Salinger.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 13 Jun 2009 18:15:46 +0200
openssl (0.9.8k-2) unstable; urgency=low
* Move libssl0.9.8-dbg to the debug section.
* Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
* Split the line to generate md5-x86_64.s in the Makefile. This will
hopefully fix the build issue on kfreebsd that now outputs the file
to stdout instead of the file.
* Fix denial of service via an out-of-sequence DTLS handshake message
(CVE-2009-1387) (Closes: #532037)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 08 Jun 2009 19:05:56 +0200
openssl (0.9.8k-1) unstable; urgency=low
* New upstream release
- 0.9.8i fixed denial of service via a DTLS ChangeCipherSpec packet
that occurs before ClientHello (CVE-2009-1386)
* Make aes-x86_64.pl use PIC.
* Fix security issues (Closes: #530400)
- "DTLS record buffer limitation bug." (CVE-2009-1377)
- "DTLS fragment handling" (CVE-2009-1378)
- "DTLS use after free" (CVE-2009-1379)
* Fixed Configure for hurd: use -mtune=i486 instead of -m486
Patch by Marc Dequènes (Duck) <duck@hurdfr.org> (Closes: #530459)
* Add support for avr32 (Closes: #528648)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 16 May 2009 17:33:55 +0200
openssl (0.9.8g-16ubuntu3) karmic; urgency=low
* SECURITY UPDATE: certificate spoofing via hash collisions from MD2
design flaws.
- crypto/evp/c_alld.c, ssl/ssl_algs.c: disable MD2 digest.
- crypto/x509/x509_vfy.c: skip signature check for self signed
certificates
- http://marc.info/?l=openssl-cvs&m=124508133203041&w=2
- http://marc.info/?l=openssl-cvs&m=124704528713852&w=2
- CVE-2009-2409
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 08 Sep 2009 14:59:05 -0400
openssl (0.9.8g-16ubuntu2) karmic; urgency=low
* Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by
Marc Deslauriers)
* SECURITY UPDATE: denial of service via memory consumption from large
number of future epoch DTLS records.
- crypto/pqueue.*: add new pqueue_size counter function.
- ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
- http://cvs.openssl.org/chngview?cn=18187
- CVE-2009-1377
* SECURITY UPDATE: denial of service via memory consumption from
duplicate or invalid sequence numbers in DTLS records.
- ssl/d1_both.c: discard message if it's a duplicate or too far in the
future.
- http://marc.info/?l=openssl-dev&m=124263491424212&w=2
- CVE-2009-1378
* SECURITY UPDATE: denial of service or other impact via use-after-free
in dtls1_retrieve_buffered_fragment.
- ssl/d1_both.c: use temp frag_len instead of freed frag.
- http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
- CVE-2009-1379
* SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
that occurs before ClientHello.
- ssl/s3_pkt.c: abort if s->session is NULL.
- ssl/{ssl.h,ssl_err.c}: add new error codes.
- http://cvs.openssl.org/chngview?cn=17369
- CVE-2009-1386
* SECURITY UPDATE: denial of service via an out-of-sequence DTLS
handshake message.
- ssl/d1_both.c: don't buffer fragments with no data.
- http://cvs.openssl.org/chngview?cn=17958
- CVE-2009-1387
-- Jamie Strandboge <jamie@ubuntu.com> Fri, 10 Jul 2009 14:44:47 -0500
openssl (0.9.8g-16ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes:
- Link using -Bsymbolic-functions
- Add support for lpia
- Disable SSLv2 during compile
- Ship documentation in openssl-doc, suggested by the package.
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Replace duplicate files in the doc directory with symlinks.
-- Jamie Strandboge <jamie@ubuntu.com> Thu, 14 May 2009 14:11:05 -0500
openssl (0.9.8g-16) unstable; urgency=high
* Properly validate the length of an encoded BMPString and UniversalString
(CVE-2009-0590) (Closes: #522002)
-- Kurt Roeckx <kurt@roeckx.be> Wed, 01 Apr 2009 22:04:53 +0200
openssl (0.9.8g-15ubuntu3) jaunty; urgency=low
* SECURITY UPDATE: crash via invalid memory access when printing BMPString
or UniversalString with invalid length
- crypto/asn1/tasn_dec.c, crypto/asn1/asn1_err.c and crypto/asn1/asn1.h:
return error if invalid length
- CVE-2009-0590
- http://www.openssl.org/news/secadv_20090325.txt
- patch from upstream CVS:
crypto/asn1/asn1.h:1.128.2.11->1.128.2.12
crypto/asn1/asn1_err.c:1.54.2.4->1.54.2.5
crypto/asn1/tasn_dec.c:1.26.2.10->1.26.2.11
-- Jamie Strandboge <jamie@ubuntu.com> Fri, 27 Mar 2009 08:23:35 -0500
openssl (0.9.8g-15ubuntu2) jaunty; urgency=low
* Move runtime libraries to /lib, for the benefit of wpasupplicant
(LP: #44194). Leave symlinks behind in /usr/lib (except on the Hurd)
since we used to set an rpath there.
-- Colin Watson <cjwatson@ubuntu.com> Fri, 06 Mar 2009 12:48:52 +0000
openssl (0.9.8g-15ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes: LP: #314984
- Link using -Bsymbolic-functions
- Add support for lpia
- Disable SSLv2 during compile
- Ship documentation in openssl-doc, suggested by the package.
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Replace duplicate files in the doc directory with symlinks.
-- Bhavani Shankar <right2bhavi@gmail.com> Thu, 08 Jan 2009 12:38:06 +0530
openssl (0.9.8g-15) unstable; urgency=low
* Internal calls to didn't properly check for errors which
resulted in malformed DSA and ECDSA signatures being treated as
a good signature rather than as an error. (CVE-2008-5077)
* ipv6_from_asc() could write 1 byte longer than the buffer in case
the ipv6 address didn't have "::" part. (Closes: #506111)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 05 Jan 2009 21:14:31 +0100
openssl (0.9.8g-14ubuntu2) jaunty; urgency=low
* SECURITY UPDATE: clients treat malformed signatures as good when verifying
server DSA and ECDSA certificates
- update apps/speed.c, apps/spkac.c, apps/verify.c, apps/x509.c,
ssl/s2_clnt.c, ssl/s2_srvr.c, ssl/s3_clnt.c, s3_srvr.c, and
ssl/ssltest.c to properly check the return code of EVP_VerifyFinal()
- patch based on upstream patch for #2008-016
- CVE-2008-5077
-- Jamie Strandboge <jamie@ubuntu.com> Tue, 06 Jan 2009 00:44:19 -0600
openssl (0.9.8g-14ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes:
- Link using -Bsymbolic-functions
- Add support for lpia
- Disable SSLv2 during compile
- Ship documentation in openssl-doc, suggested by the package.
- Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade is being
performed.
- Display a system restart required notification bubble on libssl0.9.8
upgrade.
- Replace duplicate files in the doc directory with symlinks.
-- Scott James Remnant <scott@ubuntu.com> Tue, 11 Nov 2008 17:24:44 +0000
openssl (0.9.8g-14) unstable; urgency=low
* Don't give the warning about security updates when upgrading
from etch since it doesn't have any known security problems.
* Automaticly use engines that succesfully initialised. Patch
from the 0.9.8h upstream version. (Closes: #502177)
-- Kurt Roeckx <kurt@roeckx.be> Fri, 31 Oct 2008 22:45:14 +0100
openssl (0.9.8g-13) unstable; urgency=low
* Fix a problem with tlsext preventing firefox 3 from connection.
Patch from upstream CVS and part of 0.9.8h.
(Closes: #492758)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 03 Aug 2008 19:47:10 +0200
openssl (0.9.8g-12) unstable; urgency=low
* add the changelog of the 10.1 NMU to make bugtracking happy
-- Christoph Martin <Christoph.Martin@Uni-Mainz.DE> Tue, 22 Jul 2008 14:58:26 +0200
openssl (0.9.8g-11) unstable; urgency=low
[ Christoph Martin ]
* updated cs, gl, sv, ru, ro debconf translation (closes: #480926, #480967,
#482465, #484324, #488595)
* add Vcs-Svn header (closes: #481654)
* fix debian-kfreebsd-i386 build flags (closes: #482275)
* add stunnel4 to restart list (closes: #482111)
* include fixes from 10.1 NMU by Security team
- Fix double free in TLS server name extension which leads to a remote
denial of service (CVE-2008-0891; Closes: #483379).
- Fix denial of service if the 'Server Key exchange message'
is omitted from a TLS handshake which could lead to a client
crash (CVE-2008-1672; Closes: #483379).
This only works if openssl is compiled with enable-tlsext which is
done in Debian.
* fix some lintian warnings
* update to newest standards version
-- Christoph Martin <Christoph.Martin@Uni-Mainz.DE> Thu, 17 Jul 2008 09:53:01 +0200
openssl (0.9.8g-10.1ubuntu2) intrepid; urgency=low
* debian/rules:
- disable SSLv2 during compile
* debian/README.debian
- add note about disabled SSLv2 in Ubuntu
-- Ante Karamatic <ivoks@ubuntu.com> Thu, 24 Jul 2008 12:47:09 +0200
openssl (0.9.8g-10.1ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- use a different priority for libssl0.9.8/restart-services depending on whether
a desktop, or server dist-upgrade is being performed.
- display a system restart required notification bubble on libssl0.9.8 upgrade.
- ship documentation in new openssl-doc package.
- configure: add support for lpia.
- replace duplicate files in the doc directory with symlinks.
- link using -bsymbolic-functions.
- update maintainer as per spec.
-- Luke Yelavich <luke.yelavich@canonical.com> Tue, 10 Jun 2008 11:50:07 +1000
openssl (0.9.8g-10.1) unstable; urgency=high
* Non-maintainer upload by the Security team.
* Fix denial of service if the 'Server Key exchange message'
is omitted from a TLS handshake which could lead to a client
crash (CVE-2008-1672; Closes: #483379).
This only works if openssl is compiled with enable-tlsext which is
done in Debian.
* Fix double free in TLS server name extension which leads to a remote
denial of service (CVE-2008-0891; Closes: #483379).
-- Nico Golde <nion@debian.org> Tue, 27 May 2008 11:13:44 +0200
openssl (0.9.8g-10ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- Use a different priority for libssl0.9.8/restart-services depending on whether
a desktop, or server dist-upgrade is being performed.
- Display a system restart required notification bubble on libssl0.9.8 upgrade.
- Ship documentation in new openssl-doc package.
- Configure: Add support for lpia.
- Replace duplicate files in the doc directory with symlinks.
- Link using -Bsymbolic-functions.
- Update maintainer as per spec.
-- Luke Yelavich <luke.yelavich@canonical.com> Mon, 12 May 2008 22:49:33 +1000
openssl (0.9.8g-10) unstable; urgency=low
* undefine HZ so that the code falls back to sysconf(_SC_CLK_TCK)
to fix a build failure on alpha.
-- Kurt Roeckx <kurt@roeckx.be> Thu, 08 May 2008 17:56:13 +0000
openssl (0.9.8g-9) unstable; urgency=high
[ Christoph Martin ]
* Include updated debconf translations (closes: #473477, #461597,
#461880, #462011, #465517, #475439)
[ Kurt Roeckx ]
* ssleay_rand_add() really needs to call MD_Update() for buf.
-- Kurt Roeckx <kurt@roeckx.be> Wed, 07 May 2008 20:32:12 +0200
openssl (0.9.8g-8ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- Use a different priority for libssl0.9.8/restart-services depending on whether
a desktop, or server dist-upgrade is being performed.
- Display a system restart required notification bubble on libssl0.9.8 upgrade.
- Ship documentation in new openssl-doc package.
- Configure: Add support for lpia.
- Replace duplicate files in the doc directory with symlinks.
- Link using -Bsymbolic-functions.
- Update maintainer as per spec.
-- Luke Yelavich <luke.yelavich@canonical.com> Mon, 12 May 2008 10:09:20 +1000
openssl (0.9.8g-8) unstable; urgency=high
* Don't add extensions to ssl v3 connections. It breaks with some
other software. (Closes: #471681)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 23 Mar 2008 17:50:04 +0000
openssl (0.9.8g-7) unstable; urgency=low
* Upload to unstable.
-- Kurt Roeckx <kurt@roeckx.be> Wed, 13 Feb 2008 22:22:29 +0000
openssl (0.9.8g-6) experimental; urgency=low
* Bump shlibs.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 09 Feb 2008 15:42:22 +0100
openssl (0.9.8g-5) experimental; urgency=low
* Enable tlsext. This changes the ABI, but should hopefully
not cause any problems. (Closes: #462596)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 09 Feb 2008 13:32:49 +0100
openssl (0.9.8g-4ubuntu3) hardy; urgency=low
* Use a different priority for libssl0.9.8/restart-services depending on whether
a desktop, or server dist-upgrade is being performed. (LP: #91814)
* Display a system restart required notification bubble on libssl0.9.8 upgrade.
-- Luke Yelavich <luke.yelavich@canonical.com> Tue, 22 Apr 2008 10:50:53 +1000
openssl (0.9.8g-4ubuntu2) hardy; urgency=low
* Ship documentation in new openssl-doc package, since it is very large and
not terribly useful for the casual desktop user.
-- Martin Pitt <martin.pitt@ubuntu.com> Tue, 11 Mar 2008 22:52:28 +0100
openssl (0.9.8g-4ubuntu1) hardy; urgency=low
* Merge from unstable; remaining changes:
- Configure: Add support for lpia.
- Replace duplicate files in the doc directory with symlinks.
- Link using -Bsymbolic-functions.
-- Matthias Klose <doko@ubuntu.com> Tue, 29 Jan 2008 14:32:12 +0100
openssl (0.9.8g-4) unstable; urgency=low
* Fix aes ige test speed not to overwrite it's buffer and
cause segfauls. Thanks to Tim Hudson (Closes: #459619)
* Mark some strings in the templates as non translatable.
Patch from Christian Perrier <bubulle@debian.org> (Closes: #450418)
* Update Dutch debconf translation (Closes: #451290)
* Update French debconf translation (Closes: #451375)
* Update Catalan debconf translation (Closes: #452694)
* Update Basque debconf translation (Closes: #457285)
* Update Finnish debconf translation (Closes: #458261)
-- Kurt Roeckx <kurt@roeckx.be> Wed, 16 Jan 2008 21:49:43 +0100
openssl (0.9.8g-3ubuntu1) hardy; urgency=low
* Merge with Debian; remaining changes:
- Configure: Add support for lpia.
- Replace duplicate files in the doc directory with symlinks.
-- Matthias Klose <doko@ubuntu.com> Wed, 05 Dec 2007 00:13:39 +0100
openssl (0.9.8g-3) unstable; urgency=low
* aes-586.pl: push %ebx on the stack before we put some things on the
stack and call a function, giving AES_decrypt() wrong values to work
with. (Closes: #449200)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 04 Nov 2007 21:49:00 +0100
openssl (0.9.8g-2) unstable; urgency=low
* Avoid text relocations on i386 caused by the assembler versions:
- x86unix.pl: Create a function_begin_B_static to create a
static/local assembler function.
- aes-586.pl: Use the function_begin_B_static for _x86_AES_decrypt
so that it doesn't get exported and doesn't have any (text) relocations.
- aes-586.pl: Set up ebx to point to the GOT and call AES_set_encrypt_key
via the PLT to avoid a relocation.
- x86unix.pl: Call the init function via the PLT, avoiding a relocation
in case of a PIC object.
- cbc.pl: Call functions via the PLT.
- desboth.pl: Call DES_encrypt2 via the PLT.
* CA.sh should use the v3_ca extension when called with -newca
(Closes: #428051)
* Use -Wa,--noexecstack for all arches in Debian. (Closes: #430583)
* Convert the failure message when services fail restart to a debconf
message.
* To restart a service, just restart, instead of stop and start.
Hopefully fixes #444946
* Also remove igetest from the test dir in the clean target.
(Closes: #424362)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 03 Nov 2007 13:25:45 +0100
openssl (0.9.8g-1) unstable; urgency=low
* New upstream release
- Fixes version number not to say it's a development version.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 20 Oct 2007 12:47:10 +0200
openssl (0.9.8f-1) unstable; urgency=low
* New upstream release
- Fixes DTLS issues, also fixes CVE-2007-4995 (Closes: #335703, #439737)
- Proper inclusion of opensslconf.h in pq_compat.h (Closes: #408686)
- New function SSL_set_SSL_CTX: bump shlibs.
* Remove build dependency on gcc > 4.2
* Remove the openssl preinst, it looks like a workaround
for a change in 0.9.2b where config files got moved. (Closes: #445095)
* Update debconf translations:
- Vietnamese (Closes: #426988)
- Danish (Closes: #426774)
- Slovak (Closes: #440723)
- Finnish (Closes: #444258)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 13 Oct 2007 00:47:22 +0200
openssl (0.9.8e-9) unstable; urgency=high
* CVE-2007-5135: Fix off by one error in SSL_get_shared_ciphers().
(Closes: #444435)
* Add postgresql-8.2 to the list of services to check.
-- Kurt Roeckx <kurt@roeckx.be> Fri, 28 Sep 2007 19:47:33 +0200
openssl (0.9.8e-8) unstable; urgency=low
* Fix another case of the "if this code is reached, the program will abort"
(Closes: #429740)
* Temporary force to build with gcc >= 4.2
-- Kurt Roeckx <kurt@roeckx.be> Sun, 02 Sep 2007 18:12:11 +0200
openssl (0.9.8e-7) unstable; urgency=low
* Fix problems with gcc-4.2 (Closes: #429740)
* Stop using -Bsymbolic to create the shared library.
* Make x86_64cpuid.pl use PIC.
-- Kurt Roeckx <kurt@roeckx.be> Sun, 02 Sep 2007 16:15:18 +0200
openssl (0.9.8e-6) unstable; urgency=high
* Add fix for CVE-2007-3108 (Closes: #438142)
-- Kurt Roeckx <kurt@roeckx.be> Wed, 15 Aug 2007 19:49:54 +0200
openssl (0.9.8e-5ubuntu3) gutsy; urgency=low
* Replace duplicate files in the doc directory with symlinks.
-- Matthias Klose <doko@ubuntu.com> Thu, 04 Oct 2007 16:27:53 +0000
openssl (0.9.8e-5ubuntu2) gutsy; urgency=low
[ Jamie Strandboge ]
* SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in
buffer overflow
* ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to
Stephan Hermann
* References:
CVE-2007-5135
http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
Fixes LP: #146269
* Modify Maintainer value to match the DebianMaintainerField
specification.
[ Kees Cook ]
* SECURITY UPDATE: side-channel attacks via BN_from_montgomery function.
* crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian.
* References
CVE-2007-3108
-- Kees Cook <kees@ubuntu.com> Fri, 28 Sep 2007 13:02:19 -0700
openssl (0.9.8e-5ubuntu1) gutsy; urgency=low
* Configure: Add support for lpia.
* Explicitely build using gcc-4.1 (PR other/31359).
-- Matthias Klose <doko@ubuntu.com> Tue, 31 Jul 2007 12:47:38 +0000
openssl (0.9.8e-5) unstable; urgency=low
[ Christian Perrier ]
* Debconf templates proofread and slightly rewritten by
the debian-l10n-english team as part of the Smith Review Project.
Closes: #418584
* Debconf templates translations:
- Arabic. Closes: #418669
- Russian. Closes: #418670
- Galician. Closes: #418671
- Swedish. Closes: #418679
- Korean. Closes: #418755
- Czech. Closes: #418768
- Basque. Closes: #418784
- German. Closes: #418785
- Traditional Chinese. Closes: #419915
- Brazilian Portuguese. Closes: #419959
- French. Closes: #420429
- Italian. Closes: #420461
- Japanese. Closes: #420482
- Catalan. Closes: #420833
- Dutch. Closes: #420925
- Malayalam. Closes: #420986
- Portuguese. Closes: #421032
- Romanian. Closes: #421708
[ Kurt Roeckx ]
* Remove the Provides for the udeb. Patch from Frans Pop. (Closes: #419608)
* Updated Spanish debconf template. (Closes: #421336)
* Do the header changes, changing those defines into real functions,
and bump the shlibs to match.
* Update Japanese debconf translation. (Closes: #422270)
-- Kurt Roeckx <kurt@roeckx.be> Tue, 15 May 2007 17:21:08 +0000
openssl (0.9.8e-4) unstable; urgency=low
* openssl should depend on libssl0.9.8 0.9.8e-1 since it
uses some of the defines that changed to functions.
Other things build against libssl or libcrypto shouldn't
have this problem since they use the old headers.
(Closes: #414283)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 10 Mar 2007 17:11:46 +0000
openssl (0.9.8e-3) unstable; urgency=low
* Add nagios-nrpe-server to the list of services to be checked
(Closes: #391188)
* EVP_CIPHER_CTX_key_length() should return the set key length in the
EVP_CIPHER_CTX structure which may not be the same as the underlying
cipher key length for variable length ciphers.
From upstream CVS. (Closes: #412979)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 4 Mar 2007 23:22:51 +0000
openssl (0.9.8e-2) unstable; urgency=low
* Undo include changes that change defines into real functions,
but keep the new functions in the library.
-- Kurt Roeckx <kurt@roeckx.be> Sun, 25 Feb 2007 19:19:19 +0000
openssl (0.9.8e-1) unstable; urgency=low
* New upstream release
- Inludes security fixes for CVE-2006-2937, CVE-2006-2940,
CVE-2006-3738, CVE-2006-4343 (Closes: #408902)
- s_client now properly works with SMTP. Also added support
for IMAP. (closes: #221689)
- Load padlock modules (Closes: #345656, #368476)
* Add clamav-freshclam and clamav-daemon to the list of service that
need to be restarted. (Closes: #391191)
* Add armel support. Thanks to Guillem Jover <guillem.jover@nokia.com>
for the patch. (Closes: #407196)
* Add Portuguese translations. Thanks to Carlos Lisboa. (Closes: 408157)
* Add Norwegian translations. Thanks to Bjørn Steensrud
<bjornst@powertech.no> (Closes: #412326)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 25 Feb 2007 18:06:28 +0000
openssl (0.9.8c-4) unstable; urgency=low
* Add German debconf translation. Thanks to
Johannes Starosta <feedback-an-johannes@arcor.de> (Closes: #388108)
* Make c_rehash look for both .pem and .crt files. Also make it support
files in DER format. Patch by "Yauheni Kaliuta" <y.kaliuta@gmail.com>
(Closes: #387089)
* Use & instead of && to check a flag in the X509 policy checking.
Patch from upstream cvs. (Closes: #397151)
* Also restart slapd for security updates (Closes: #400221)
* Add Romanian debconf translation. Thanks to
stan ioan-eugen <stan.ieugen@gmail.com> (Closes: #393507)
-- Kurt Roeckx <kurt@roeckx.be> Thu, 30 Nov 2006 20:57:46 +0000
openssl (0.9.8c-3) unstable; urgency=low
* Fix patch for CVE-2006-2940, it left ctx unintiliased.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 2 Oct 2006 18:05:00 +0200
openssl (0.9.8c-2) unstable; urgency=high
* Fix security vulnerabilities (CVE-2006-2937, CVE-2006-2940,
CVE-2006-3738, CVE-2006-4343). Urgency set to high.
-- Kurt Roeckx <kurt@roeckx.be> Wed, 27 Sep 2006 21:24:55 +0000
openssl (0.9.8c-1) unstable; urgency=low
* New upstream release
- block padding bug with compression now fixed upstream, using
their patch.
- Includes the RSA Signature Forgery (CVE-2006-4339) patch.
- New functions AES_bi_ige_encrypt and AES_ige_encrypt:
bumping shlibs to require 0.9.8c-1.
* Change the postinst script to check that ntp is installed instead
of ntp-refclock and ntp-simple. The binary is now in the ntp
package.
* Move the modified rand/md_rand.c file to the right place,
really fixing #363516.
* Add partimage-server conserver-server and tor to the list of service
to check for restart. Add workaround for openssh-server so it finds
the init script. (Closes: #386365, #386400, #386513)
* Add manpage for c_rehash.
Thanks to James Westby <jw+debian@jameswestby.net> (Closes: #215618)
* Add Lithuanian debconf translation.
Thanks to Gintautas Miliauskas <gintas@akl.lt> (Closes: #374364)
* Add m32r support.
Thanks to Kazuhiro Inaoka <inaoka.kazuhiro@renesas.com>
(Closes: #378689)
-- Kurt Roeckx <kurt@roeckx.be> Sun, 17 Sep 2006 14:47:59 +0000
openssl (0.9.8b-3) unstable; urgency=high
* Fix RSA Signature Forgery (CVE-2006-4339) using patch provided
by upstream.
* Restart services using a smaller version that 0.9.8b-3, so
they get the fixed version.
* Change the postinst to check for postfix instead of postfix-tls.
-- Kurt Roeckx <kurt@roeckx.be> Tue, 5 Sep 2006 18:26:10 +0000
openssl (0.9.8b-2) unstable; urgency=low
* Don't call gcc with -mcpu on i386, we already use -march, so no need for
-mtune either.
* Always make all directories when building something:
- The engines directory didn't get build for the static directory, so
where missing in libcrypo.a
- The apps directory didn't always get build, so we didn't have an openssl
and a small part of the regression tests failed.
* Make the package fail to build if the regression tests fail.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 15 May 2006 16:00:58 +0000
openssl (0.9.8b-1) unstable; urgency=low
* New upstream release
- New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs.
- CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE
instead of FALSE.
- CA.pl/CA.sh creates crlnumber now. (Closes: #347612)
* Run debconf-updatepo, which really already was in the 0.9.8a-8 version
as it was uploaded.
* Add Galician debconf translation. Patch from
Jacobo Tarrio <jtarrio@trasno.net> (Closes: #361266)
* libssl0.9.8.postinst makes uses of bashisms (local variables)
so use #!/bin/bash
* libssl0.9.8.postinst: Call set -e after sourcing the debconf
script.
* libssl0.9.8.postinst: Change list of service that may need
to be restarted:
- Replace ssh by openssh-server
- Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1
- Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour
fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql
* libssl0.9.8.postinst: The check to see if something was installed
wasn't working.
* libssl0.9.8.postinst: Add workaround to find the name of the init
script for proftpd and dovecot.
* libssl0.9.8.postinst: Use invoke-rc.d when it's available.
* Change Standards-Version to 3.7.0:
- Make use of invoke-rc.d
* Add comment to README.Debian that rc5, mdc2 and idea have been
disabled (since 0.9.6b-3) (Closes: #362754)
* Don't add uninitialised data to the random number generator. This stop
valgrind from giving error messages in unrelated code.
(Closes: #363516)
* Put the FAQ in the openssl docs.
* Add russian debconf translations from Yuriy Talakan <yt@amur.elektra.ru>
(Closes #367216)
-- Kurt Roeckx <kurt@roeckx.be> Thu, 4 May 2006 20:40:03 +0200
openssl (0.9.8a-8) unstable; urgency=low
* Call pod2man with the proper section. Section changed
from 1/3/5/7 to 1SSL/3SSL/5SSL/7SSL. The name of the files
already had the ssl in, the section didn't. The references
to other manpage is still wrong.
* Don't install the LICENSE file, it's already in the copyright file.
* Don't set an rpath on openssl to point to /usr/lib.
* Add support for kfreebsd-amd64. (Closes: #355277)
* Add udeb to the shlibs. Patch from Frans Pop <aragorn@tiscali.nl>
(Closes: #356908)
-- Kurt Roeckx <kurt@roeckx.be> Sat, 11 Feb 2006 14:14:37 +0100
openssl (0.9.8a-7) unstable; urgency=high
* Add italian debconf templates. Thanks to Luca Monducci.
(Closes: #350249)
* Change the debconf question to use version 0.9.8-3
instead of 0.9.8-1, since that's the last version
with a security fix.
* Call conn_state() if the BIO is not in the BIO_CONN_S_OK state
(Closes: #352047). RC bug affecting testing, so urgency high.
-- Kurt Roeckx <kurt@roeckx.be> Sat, 9 Feb 2006 19:07:56 +0100
openssl (0.9.8a-6) unstable; urgency=low
* Remove empty postinst/preinst/prerm scripts. There is no need
to have empty ones, debhelper will add them when needed.
* Remove the static pic libraries. Nobody should be linking
it's shared libraries static to libssl or libcrypto.
This was added for opensc who now links to it shared.
* Do not assume that in case the sequence number is 0 and the
packet has an odd number of bytes that the other side has
the block padding bug, but try to check that it actually
has the bug. The wrong detection of this bug resulted
in an "decryption failed or bad record mac" error in case
both sides were using zlib compression. (Closes: #338006)
-- Kurt Roeckx <kurt@roeckx.be> Mon, 21 Jan 2006 16:25:41 +0100
openssl (0.9.8a-5) unstable; urgency=low
* Stop ssh from crashing randomly on sparc (Closes: #335912)
Patch from upstream cvs.
-- Kurt Roeckx <kurt@roeckx.be> Tue, 13 Dec 2005 21:37:42 +0100
openssl (0.9.8a-4) unstable; urgency=low
* Call dh_makeshlibs with the proper version instead of putting
it in shlibs.local, which doesn't seem to do anything. 0.9.8a-1
added symbol versioning, so it should have bumped the shlibs.
(Closes: #338284)
* The openssl package had a duplicate dependency on libssl0.9.8,
only require the version as required by the shlibs.
* Make libssl-dev depend on zlib1g-dev, since it's now required for
static linking. (Closes: #338313)
* Generate .pc files that make use of Libs.private, so things only
link to the libraries they should when linking shared.
* Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486)
* Make powerpc and ppc64 use the assembler version for bn. ppc64
had the location in the string wrong, powerpc had it missing.
* Add includes for stddef to get size_t in md2.h, md4.h, md5.h,
ripemd.h and sha.h. (Closes: #333101)
* Run make test for each of the versions we build, make it
not fail the build process if an error is found.
* Add build dependency on bc for the regression tests.
-- Kurt Roeckx <kurt@roeckx.be> Wed, 13 Nov 2005 16:01:05 +0100
openssl (0.9.8a-3) unstable; urgency=high
* Link to libz instead of dynamicly loading it. It gets loaded
at the moment the library is initialised, so there is no point
in not linking to it. It's now failing in some cases since
it's not opened by it's soname, but by the symlink to it.
This should hopefully solve most of the bugs people have reported
since the move to libssl0.9.8.
(Closes: #334180, #336140, #335271)
* Urgency set to high because it fixes a grave bug affecting testing.
-- Kurt Roeckx <kurt@roeckx.be> Tue, 1 Nov 2005 14:56:40 +0100
openssl (0.9.8a-2) unstable; urgency=low
* Add Build-Dependency on m4, since sparc needs it to generate
it's assembler files. (Closes: #334542)
* Don't use rc4-x86_64.o on amd64 for now, it seems to be broken
and causes a segfault. (Closes: #334501, #334502)
-- Kurt Roeckx <kurt@roeckx.be> Tue, 18 Oct 2005 19:05:53 +0200
openssl (0.9.8a-1) unstable; urgency=low
Christoph Martin:
* fix asm entries for some architectures, fixing #332758 properly.
* add noexecstack option to i386 subarch
* include symbol versioning in Configure (closes: #330867)
* include debian-armeb arch (closes: #333579)
* include new upstream patches; includes some minor fixes
* fix dh_shlibdeps line, removing the redundant dependency on
libssl0.9.8 (closes: #332755)
* add swedish debconf template (closes: #330554)
Kurt Roeckx:
* Also add noexecstack option for amd64, since it now has an
executable stack with the assembler fixes for amd64.
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 17 Oct 2005 17:01:06 +0200
openssl (0.9.8-3) unstable; urgency=low
* Apply security fix for CAN-2005-2969. (Closes: #333500)
* Change priority of -dbg package to extra.
-- Kurt Roeckx <kurt@roeckx.be> Wed, 12 Oct 2005 22:38:58 +0200
openssl (0.9.8-2) unstable; urgency=low
* Don't use arch specific assembler. Should fix build failure on
ia64, sparc and amd64. (Closes: #332758)
* Add myself to the uploaders.
-- Kurt Roeckx <kurt@roeckx.be> Mon, 10 Oct 2005 19:22:36 +0200
openssl (0.9.8-1) unstable; urgency=low
* New upstream release (closes: #311826)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 29 Sep 2005 14:20:04 +0200
openssl (0.9.7g-3) unstable; urgency=low
* change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386
(closes: #327692)
* include -dbg version. That implies compiling with -g and without
-fomit-frame-pointer (closes: #293823, #153811)
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 23 Sep 2005 13:51:57 +0200
openssl (0.9.7g-2) unstable; urgency=low
* really include nl translation
* remove special ia64 code from rc4 code to make the abi compatible to
older 0.9.7 versions (closes: #310489, #309274)
* fix compile flag for debian-ppc64 (closes: #318750)
* small fix in libssl0.9.7.postinst (closes: #239956)
* fix pk7_mime.c to prevent garbled messages because of to early memory
free (closes: #310184)
* include vietnamese debconf translation (closes: #316689)
* make optimized i386 libraries have non executable stack (closes:
#321721)
* remove leftover files from ssleay
* move from dh_installmanpages to dh_installman
* change Maintainer to pkg-openssl-devel@lists.alioth.debian.org
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 7 Sep 2005 15:32:54 +0200
openssl (0.9.7g-1) unstable; urgency=low
* New upstream release
* Added support for proxy certificates according to RFC 3820.
Because they may be a security thread to unaware applications,
they must be explicitely allowed in run-time. See
docs/HOWTO/proxy_certificates.txt for further information.
* Prompt for pass phrases when appropriate for PKCS12 input format.
* Back-port of selected performance improvements from development
branch, as well as improved support for PowerPC platforms.
* Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.
* Perform some character comparisons of different types in X509_NAME_cmp:
this is needed for some certificates that reencode DNs into UTF8Strings
(in violation of RFC3280) and can't or wont issue name rollover
certificates.
* corrected watchfile
* added upstream source url (closes: #292904)
* fix typo in CA.pl.1 (closes: #290271)
* change debian-powerpc64 to debian-ppc64 and adapt the configure
options to be the same like upstream (closes: #289841)
* include -signcert option in CA.pl usage
* compile with zlib-dynamic to use system zlib (closes: #289872)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 9 May 2005 23:32:03 +0200
openssl (0.9.7e-3) unstable; urgency=high
* really fix der_chop. The fix from -1 was not really included (closes:
#281212)
* still fixes security problem CAN-2004-0975 etc.
- tempfile raise condition in der_chop
- Avoid a race condition when CRLs are checked in a multi threaded
environment.
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 16 Dec 2004 18:41:29 +0100
openssl (0.9.7e-2) unstable; urgency=high
* fix perl path in der_chop and c_rehash (closes: #281212)
* still fixes security problem CAN-2004-0975 etc.
- tempfile raise condition in der_chop
- Avoid a race condition when CRLs are checked in a multi threaded
environment.
-- Christoph Martin <christoph.martin@uni-mainz.de> Sun, 14 Nov 2004 20:16:21 +0100
openssl (0.9.7e-1) unstable; urgency=high
* SECURITY UPDATE: fix insecure temporary file handling
* apps/der_chop:
- replaced $$-style creation of temporary files with
File::Temp::tempfile()
- removed unused temporary file name in do_certificate()
* References:
CAN-2004-0975 (closes: #278260)
* fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
* New upstream release with security fixes
- Avoid a race condition when CRLs are checked in a multi threaded
environment.
- Various fixes to s3_pkt.c so alerts are sent properly.
- Reduce the chances of duplicate issuer name and serial numbers (in
violation of RFC3280) using the OpenSSL certificate creation
utilities.
* depends openssl on perl-base instead of perl (closes: #280225)
* support powerpc64 in Configure (closes: #275224)
* include cs translation (closes: #273517)
* include nl translation (closes: #272479)
* Fix default dir of c_rehash (closes: #253126)
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 12 Nov 2004 14:11:15 +0100
openssl (0.9.7d-5) unstable; urgency=low
* Make S/MIME encrypt work again (backport from CVS) (closes: #241407,
#241386)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 26 Jul 2004 17:22:42 +0200
openssl (0.9.7d-4) unstable; urgency=low
* add Catalan translation (closes: #248749)
* add Spanish translation (closes: #254561)
* include NMU fixes: see below
* decrease optimisation level for debian-arm to work around gcc bug
(closes: #253848) (thanks to Steve Langasek and Thom May)
* Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank)
* Add watchfile
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 14 Jul 2004 14:31:02 +0200
openssl (0.9.7d-3) unstable; urgency=low
* rename -pic.a libraries to _pic.a (closes: #250016)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 24 May 2004 17:02:29 +0200
openssl (0.9.7d-2) unstable; urgency=low
* include PIC libs (libcrypto-pic.a and libssl-pic.a) to libssl-dev
(closes: #246928, #243999)
* add racoon to restart list (closes: #242652)
* add Brazilian, Japanese and Danish translations (closes: #242087,
#241830, #241705)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 11 May 2004 10:13:49 +0200
openssl (0.9.7d-1) unstable; urgency=high
* new upstream
* fixes security holes (http://www.openssl.org/news/secadv_20040317.txt)
(closes: #238661)
* includes support for debian-amd64 (closes: #235551, #232310)
* fix typo in pem.pod (closes: #219873)
* fix typo in libssl0.9.7.templates (closes: #224690)
* openssl suggests ca-certificates (closes: #217180)
* change debconf template to gettext format (closes: #219013)
* include french debconf template (closes: #219014)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 18 Mar 2004 16:18:43 +0100
openssl (0.9.7c-5) unstable; urgency=low
* include openssl.pc into libssl-dev (closes: #212545)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 16 Oct 2003 16:31:32 +0200
openssl (0.9.7c-4) unstable; urgency=low
* change question to restart services to debconf (closes: #214840)
* stop using dh_undocumented (closes: #214831)
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 10 Oct 2003 15:40:48 +0200
openssl (0.9.7c-3) unstable; urgency=low
* fix POSIX conformance for head in libssl0.9.7.postinst (closes:
#214700)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 8 Oct 2003 14:02:38 +0200
openssl (0.9.7c-2) unstable; urgency=low
* add filerc macro to libssl0.9.7.postinst (closes: #213906)
* restart spamassassins spamd on upgrade (closes: #214106)
* restart more services on upgrade
* fix EVP_BytesToKey manpage (closes: #213715)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 7 Oct 2003 15:01:32 +0200
openssl (0.9.7c-1) unstable; urgency=high
* upstream security fix (closes: #213451)
- Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CAN-2003-0543 and CAN-2003-0544).
Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
- In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
* more minor upstream bugfixes
* fix formatting in c_issuer (closes: #190026)
* fix Debian-FreeBSD support (closes: #200381)
* restart some services in postinst to make them use the new libraries
* remove duplicated openssl.1, crypto.3 and ssl.3 (closes: #198594)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 1 Oct 2003 08:54:27 +0200
openssl (0.9.7b-2) unstable; urgency=high
* fix permission of /etc/ssl/private to 700 again
* change section of libssl-dev to libdevel
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 23 Apr 2003 11:13:24 +0200
openssl (0.9.7b-1) unstable; urgency=high
* upstream security fix
- Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c). (CAN-2003-0131)
(closes: #189087)
- Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases. (CAN-2003-0147)
- Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
for more details see the CHANGES file
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 16 Apr 2003 10:32:57 +0200
openssl (0.9.7a-1) unstable; urgency=high
* upstream Security fix
- In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
for more details see the CHANGES file
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 21 Feb 2003 22:39:40 +0100
openssl (0.9.7-4) unstable; urgency=low
* use DH_COMPAT=3 to build
* move i686 to i686/cmov to fix problems on Via C3. For that to work we
have to depend on the newest libc6 on i386 (closes: #177891)
* fix bug in ui_util.c (closes: #177615)
* fix typo in md5.h (closes: #178112)
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 24 Jan 2003 10:22:56 +0100
openssl (0.9.7-3) unstable; urgency=low
* enable build of ultrasparc code on non ultrasparc machines (closes:
#177024)
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 17 Jan 2003 08:22:13 +0100
openssl (0.9.7-2) unstable; urgency=low
* include changes between 0.9.6g-9 and -10
* fix problem in build-process on i386 with libc6 version number
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 13 Jan 2003 14:26:56 +0100
openssl (0.9.7-1) unstable; urgency=low
* new upstream
* includes engine support
* a lot of bugfixes and enhancements, see the CHANGES file
* include AES encryption
* makes preview of certificate configurable (closes: #176059)
* fix x509 manpage (closes: #168070)
* fix declaration of ERR_load_PEM_string in pem.h (closes: #141360)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 11 Jan 2003 09:12:16 +0100
openssl (0.9.6g-10) unstable; urgency=low
* fix problem in build-process on i386 with libc6 version number
(closes: #167096)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 4 Nov 2002 12:27:21 +0100
openssl (0.9.6g-9) unstable; urgency=low
* fix typo in i386 libc6 depend (sigh) (closes: #163848)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 8 Oct 2002 23:29:20 +0200
openssl (0.9.6g-8) unstable; urgency=low
* fix libc6 depends. Only needed for i386 (closes: #163701)
* remove SHLIB section for bsds from Configure (closes: #163585)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 8 Oct 2002 10:57:35 +0200
openssl (0.9.6g-7) unstable; urgency=low
* enable i686 optimisation and depend on fixed glibc (closes: #163500)
* remove transition package ssleay
* include optimisation vor sparcv8 (closes: #139996)
* improve optimisation vor sparcv9
-- Christoph Martin <christoph.martin@uni-mainz.de> Sun, 6 Oct 2002 14:07:12 +0200
openssl (0.9.6g-6) unstable; urgency=low
* temporarily disable i686 optimisation (See bug in glibc #161788)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 21 Sep 2002 18:56:49 +0200
openssl (0.9.6g-5) unstable; urgency=low
* i486 can use i586 assembler
* include set -xe in the for loops in the rules files to make it abort
on error (closes: #161768)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 21 Sep 2002 16:23:11 +0200
openssl (0.9.6g-4) unstable; urgency=low
* fix optimization for alpha and sparc
* add optimization for i486
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 20 Sep 2002 22:36:19 +0200
openssl (0.9.6g-3) unstable; urgency=low
* add optimized libraries for i586, i686, ev4, ev5 and v9 (closes: #139783)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 19 Sep 2002 18:33:04 +0200
openssl (0.9.6g-2) unstable; urgency=low
* fix manpage names (closes: #156717, #156718, #156719, #156721)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 15 Aug 2002 11:26:37 +0200
openssl (0.9.6g-1) unstable; urgency=low
* new upstream version
* Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
assertions could call abort()). (closes: #155985, #156495)
* Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
and get fix the header length calculation.
* include support for new sh* architectures (closes: #155117)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 14 Aug 2002 13:59:22 +0200
openssl (0.9.6e-1) unstable; urgency=high
* fixes remote exploits (see DSA-136-1)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 30 Jul 2002 18:32:28 +0200
openssl (0.9.6d-1) unstable; urgency=low
* new upstream (minor) version
* includes Configure lines for debian-*bsd-* (closes: #130413)
* fix wrong prototype for BN_pseudo_rand_range in BN_rand(3ssl) (closes:
#144586)
* fix typos in package description (closes: #141469)
* fix typo in SSL_CTX_set_cert_store manpage (closes: #135297)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 3 Jun 2002 19:42:10 +0200
openssl (0.9.6c-2) unstable; urgency=low
* moved from non-US to main
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 19 Mar 2002 14:48:39 +0100
openssl (0.9.6c-1) unstable; urgency=low
* new upstream version with a lot of bugfixes
* remove directory /usr/include/openssl from openssl package (closes:
bug #121226)
* remove selfdepends from libssl0.9.6
* link openssl binary shared again
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 5 Jan 2002 19:04:31 +0100
openssl (0.9.6b-4) unstable; urgency=low
* build with -D_REENTRANT for threads support on all architectures
(closes: #112329, #119239)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 24 Nov 2001 12:17:51 +0100
openssl (0.9.6b-3) unstable; urgency=low
* disable idea, mdc2 and rc5 because they are not free (closes: #65368)
* ready to be moved from nonus to main
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 21 Nov 2001 17:51:41 +0100
openssl (0.9.6b-2) unstable; urgency=high
* fix definition of crypt in des.h (closes: #107533)
* fix descriptions (closes: #109503)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 17 Sep 2001 15:38:27 +0200
openssl (0.9.6b-1) unstable; urgency=medium
* new upstream fixes some security issues (closes: #105835, #100146)
* added support for s390 (closes: #105681)
* added support for sh (closes: #100003)
* change priority of libssl096 to standard as ssh depends on it (closes:
#105440)
* don't optimize for i486 to support i386. (closes: #104127, #82194)
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 20 Jul 2001 15:52:42 +0200
openssl (0.9.6a-3) unstable; urgency=medium
* add perl-base to builddeps
* include static libraries in libssl-dev (closes: #93688)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 14 May 2001 20:16:06 +0200
openssl (0.9.6a-2) unstable; urgency=medium
* change Architecture of ssleay from any to all (closes: #92913)
* depend libssl-dev on the exact same version of libssl0.9.6 (closes:
#88939)
* remove lib{crypto,ssl}.a from openssl (closes: #93666)
* rebuild with newer gcc to fix atexit problem (closes: #94036)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 2 May 2001 12:28:39 +0200
openssl (0.9.6a-1) unstable; urgency=medium
* new upstream, fixes some security bugs (closes: #90584)
* fix typo in s_server manpage (closes: #89756)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 10 Apr 2001 12:13:11 +0200
openssl (0.9.6-2) unstable; urgency=low
* policy: reorganisation of package names: libssl096 -> libssl0.9.6,
libssl096-dev -> libssl-dev (closes: #83426)
* libssl0.9.6 drops replaces libssl09 (Closes: #83425)
* install upstream CHANGES files (Closes: #83430)
* added support for hppa and ia64 (Closes: #88790)
* move man3 manpages to libssl-dev (Closes: #87546)
* fix formating problem in rand_add(1) (Closes: #87547)
* remove manpage duplicates (Closes: #87545, #74986)
* make package descriptions clearer (Closes: #83518, #83444)
* increase default emailAddress_max from 40 to 60 (Closes: #67238)
* removed RSAREF warning (Closes: #84122)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 8 Mar 2001 14:24:00 +0100
openssl (0.9.6-1) unstable; urgency=low
* New upstream version (Thanks to Enrique Zanardi <ezanard@debian.org>)
(closes: #72388)
* Add support for debian-hurd (closes: #76032)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 13 Nov 2000 22:30:46 +0100
openssl (0.9.5a-5) unstable; urgency=low
* move manpages in standard directories with section ssl (closes:
#72152, #69809)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 5 Oct 2000 19:56:20 +0200
openssl (0.9.5a-4) unstable; urgency=low
* include edg_rand_bytes patch from and for apache-ssl
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 23 Sep 2000 16:48:06 +0200
openssl (0.9.5a-3) unstable; urgency=low
* fix call to dh_makeshlibs to create correct shlibs file and make
dependend programs link correctly (closes: Bug#61658)
* include a note in README.debian concerning the location of the
subcommand manpages (closes: Bug#69809)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 16 Sep 2000 19:10:50 +0200
openssl (0.9.5a-2) unstable; urgency=low
* try to fix the sharedlib problem. change soname of library
(closes: Bug#4622, #66102, #66538, #66123)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 12 Jul 2000 03:26:30 +0200
openssl (0.9.5a-1) unstable; urgency=low
* new upstream version (major changes see file NEWS) (closes: Bug#63976,
#65239, #65358)
* new library package libssl095a because of probably changed library
interface (closes: Bug#46222)
* added architecture mips and mipsel (closes: Bug#62437, #60366)
* provide shlibs.local file in build to help build if libraries are not
yet installed (closes: Bug#63984)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sun, 11 Jun 2000 15:17:35 +0200
openssl (0.9.4-5) frozen unstable; urgency=medium
* cleanup of move of doc directories to /usr/share/doc (closes:
Bug#56430)
* lintian issues (closes: Bug#49358)
* move demos from openssl to libssl09-dev (closes: Bug#59201)
* move to debhelpers
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 11 Mar 2000 10:38:04 +0100
openssl (0.9.4-4) unstable; urgency=medium
* Added 'debian-arm' in 'Configure'. (closes: Bug#54251, #54766)
* Fixed Configure for 'debian-m68k' (closes: Bug#53636)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 15 Jan 2000 13:16:18 +0100
openssl (0.9.4-3) unstable; urgency=low
* define symbol SSLeay_add_ssl_algorithms for backward compatibility
(closes: Bug#46882)
* remove manpages from /usr/doc/openssl (closes: Bug#46791)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 14 Oct 1999 16:51:08 +0200
openssl (0.9.4-2) unstable; urgency=low
* include some more docu in pod format (Bug #43933)
* removed -mv8 from sparc flags (Bug #44769)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 14 Sep 1999 22:04:06 +0200
openssl (0.9.4-1) unstable; urgency=low
* new upstream version (Closes: #42926)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sat, 28 Aug 1999 17:04:23 +0200
openssl (0.9.3a-1) unstable; urgency=low
* new upstream version (Bug #38345, #38627)
* sparc is big-endian (Bug #39973)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 7 Jul 1999 16:03:37 +0200
openssl (0.9.2b-3) unstable; urgency=low
* correct move conffiles to /etc/ssl (Bug #38570)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 31 May 1999 21:08:07 +0200
openssl (0.9.2b-2) unstable; urgency=low
* added convenience package ssleay to help upgrade to openssl (Bug
#37185, #37623, #36326)
* added some missing dependencies from libssl09 (Bug #36681, #35867,
#36326)
* move lib*.so to libssl09-dev (Bug #36761)
* corrected version numbers of library files
* introduce link from /usr/lib/ssl to /etc/ssl (Bug #36710)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sun, 23 May 1999 14:57:48 +0200
openssl (0.9.2b-1) unstable; urgency=medium
* First openssl version
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 31 Mar 1999 15:54:26 +0200
ssleay (0.9.0b-2) unstable; urgency=low
* Include message about the (not)usage of RSAREF (#24409)
* Move configfiles from /usr/lib/ssl to /etc/ssl (#26406)
* Change definitions for sparc (#26487)
* Added missing dependency (#28591)
* Make debian/libtool executable (#29708)
* /etc/ssl/lib/ssleay.cnf is now a confile (#32624)
-- Christoph Martin <christoph.martin@uni-mainz.de> Sun, 21 Mar 1999 19:41:04 +0100
ssleay (0.9.0b-1) unstable; urgency=low
* new upstream version (Bug #21227, #25971)
* build shared libraries with -fPIC (Bug #20027)
* support sparc architecture (Bug #28467)
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 13 Oct 1998 10:20:13 +0200
ssleay (0.8.1-7) frozen unstable; urgency=high
* security fix patch to 0.8.1b (bug #24022)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 6 Jul 1998 15:42:15 +0200
ssleay (0.8.1-6) frozen unstable; urgency=low
* second try to fix bug #15235 (copyright was still missing)
-- Christoph Martin <christoph.martin@uni-mainz.de> Mon, 22 Jun 1998 08:56:27 +0200
ssleay (0.8.1-5) frozen unstable; urgency=high
* changed /dev/random to /dev/urandom (Bug #23169, #17817)
* copyright contains now the full licence (Bug #15235)
* fixed bug #19410 (md5sums-lists-nonexisting-file)
* added demos to /usr/doc (Bug #17372)
* fixed type in package description (Bug #18969)
* fixed bug in adding documentation (Bug #21463)
* added patch for support of debian-powerpc (Bug #21579)
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 18 Jun 1998 23:09:13 +0200
ssleay (0.8.1-4) unstable; urgency=low
* purged dependency from libc5
-- Christoph Martin <christoph.martin@uni-mainz.de> Tue, 11 Nov 1997 15:31:50 +0100
ssleay (0.8.1-3) unstable; urgency=low
* changed packagename libssl to libssl08 to get better dependancies
-- Christoph Martin <christoph.martin@uni-mainz.de> Fri, 7 Nov 1997 14:23:17 +0100
ssleay (0.8.1-2) unstable; urgency=low
* linked shared libraries against libc6
* use /dev/random for randomseed
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 5 Nov 1997 11:21:40 +0100
ssleay (0.8.1-1) unstable; urgency=low
* new upstream version
-- Christoph Martin <christoph.martin@uni-mainz.de> Thu, 16 Oct 1997 16:15:43 +0200
ssleay (0.6.6-2) unstable; urgency=low
* cleanup in diffs
* removed INSTALL from docs (bug #13205)
* split libssl and libssl-dev (but #13735)
-- Christoph Martin <christoph.martin@uni-mainz.de> Wed, 15 Oct 1997 17:38:38 +0200
ssleay (0.6.6-1) unstable; urgency=low
* New upstream version
* added shared libraries for libcrypto and libssl
-- Christoph Martin <martin@uni-mainz.de> Thu, 26 Jun 1997 19:26:14 +0200
ssleay (0.6.4-2) unstable; urgency=low
* changed doc filenames from .doc to .txt to be able to read them
over with webbrowser
-- Christoph Martin <martin@uni-mainz.de> Tue, 25 Feb 1997 14:02:53 +0100
ssleay (0.6.4-1) unstable; urgency=low
* Initial Release.
-- Christoph Martin <martin@uni-mainz.de> Fri, 22 Nov 1996 21:29:51 +0100
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment