Format: 1.8
Date: Tue, 21 Apr 2020 16:30:31 +0200
Source: openssl
Architecture: source
Version: 1.1.1g-1+ubuntu16.04.1+deb.sury.org+1
Distribution: xenial
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 759811 767207 773601 794326 802591 813191 816239 823774 827028 839575 843064 844234 844715 848957 852017 852900 852920 859191 860254 861145 863367 863707 864080 867240 869856 875423 878303 882007 888305 891570 891797 892276 894282 895844 907631 910459 911389 912067 913558 923516 926315 941765 941987 947949 955442
Changes:
 openssl (1.1.1g-1+ubuntu16.04.1+deb.sury.org+1) xenial; urgency=medium
 .
   * No-change backport to xenial
 .
 openssl (1.1.1g-1) unstable; urgency=medium
 .
   * New upstream version
 .
 openssl (1.1.1f-1) unstable; urgency=medium
 .
   * New upstream version
    - Revert the change of EOF detection to avoid regressions in applications.
      (Closes: #955442).
 .
 openssl (1.1.1e-1) unstable; urgency=medium
 .
   * Use dh-compat level 12.
   * New upstream version
     - CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
     (Closes: #947949).
   * Update symbol list.
   * Update Standards-Version to 4.5.0. No changes required.
   * Add musl configurations (Closes: #941765).
 .
 openssl (1.1.1d-2) unstable; urgency=medium
 .
   * Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).
 .
 openssl (1.1.1d-1) unstable; urgency=medium
 .
   * New upstream version
    - CVE-2019-1549 (Fixed a fork protection issue).
    - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP
      construction).
    - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and
      CMS_decrypt_set1_pkey).
   * Update symbol list
 .
 openssl (1.1.1c-1) unstable; urgency=medium
 .
   * New upstream version
    - CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305)
   * Update symbol list
 .
 openssl (1.1.1b-2) unstable; urgency=medium
 .
   * Fix BUF_MEM regression (Closes: #923516)
   * Fix error when config can't be opened (Closes: #926315)
   * Ship an openssl.cnf in libssl1.1-udeb.dirs
 .
 openssl (1.1.1b-1) unstable; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * Add Breaks on lighttpd (Closes: #913558).
 .
   [ Kurt Roeckx ]
   * New upstream version
   * Update symbol list
 .
 openssl (1.1.1a-1) unstable; urgency=medium
 .
   * Add Breaks on python-boto (See: #909545)
   * New upstream version
    - CVE-2018-0734 (Timing vulnerability in DSA signature generation)
    - CVE-2018-0735 (Timing vulnerability in ECDSA signature generation)
    - Update symbol file for 1.1.1a
 .
 openssl (1.1.1-2) unstable; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * Add Breaks on isync (See: #906955)
   * Fix autopkgtest (Closes: #910459)
 .
   [ Kurt Roeckx ]
   * Add Breaks on python-imaplib2 (See: #907079)
   * Add news entry regarding default TLS version and security level
     (Closes: #875423, #907631, #911389, #912067).
 .
 openssl (1.1.1-1) unstable; urgency=medium
 .
   * New upstream version.
    - Update symbol file for 1.1.1
    - CVE-2018-0732 (actually since pre8).
   * Add Breaks on python-httplib2 (See: #907278)
   * Add hardening=+all.
   * Update to policy 4.2.1
     - Less verbose testsuite with terse
     - Use RRR=no
 .
 openssl (1.1.1~~pre9-1) unstable; urgency=medium
 .
   * New upstream version.
     - Support the final TLS 1.3 version (RFC 8446)
   * Upload to unstable
 .
 openssl (1.1.1~~pre8-1) experimental; urgency=medium
 .
   * New upstream version.
 .
 openssl (1.1.1~~pre7-1) experimental; urgency=medium
 .
   * Drop afalgeng on kfreebsd-* which go enabled because they inherit from
     the linux target.
   * Fix debian-rules-sets-dpkg-architecture-variable.
   * Update to policy 4.1.4
     - only Suggest: libssl-doc instead Recommends (only documentation and
       example code is shipped).
     - drop Priority: important.
     - use signing-key.asc and a https links for downloads
   * Use compat 11.
     - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
       seems to make sense.
   * Add a 25-test_verify.t for autopkgtest which runs against intalled
     openssl binary.
   * Fix CVE-2018-0737 (Closes: #895844).
 .
 openssl (1.1.1~~pre6-2) experimental; urgency=medium
 .
   * Update libssl1.1.symbols
 .
 openssl (1.1.1~~pre6-1) experimental; urgency=medium
 .
   * New upstream version
   * Increase default security level from 1 to 2. This moves from the 80 bit
     security level to the 112 bit securit level and will require 2048 bit RSA
     and DHE keys.
 .
 openssl (1.1.1~~pre4-1) experimental; urgency=medium
 .
   * Update to 1.1.1-pre4 (Closes: #892276, #894282).
   * Add riscv64 target (Closes: #891797).
 .
 openssl (1.1.1~~pre3-1) experimental; urgency=medium
 .
   * Update to 1.1.1-pre3
   * Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
   * Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
   * Enable system default config to enforce TLS1.2 as a minimum.
 .
 openssl (1.1.1~~pre2-1) experimental; urgency=medium
 .
   * Update to 1.1.1-pre2
 .
 openssl (1.1.1~~pre1-1) experimental; urgency=medium
 .
   * Abort the build if symbols are discovered which are not part of the
     symbols file.
   * Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
   * Enable afalgeng on Linux targets (Closes: #888305)
   * Update 1.1.1-pre1.
 .
 openssl (1.1.0g-2) unstable; urgency=high
 .
   * Avoid problems with aes assembler on armhf using binutils 2.29
 .
 openssl (1.1.0g-1) unstable; urgency=medium
 .
   [ Kurt Roeckx ]
   * New upstream version
     - Fixes CVE-2017-3735
     - Fixes CVE-2017-3736
   * Remove patches applied upstream
   * Temporary enable TLS 1.0 and 1.1 again (#875423)
   * Attempt to fix testsuite race condition
   * update no-symbolic.patch to apply
 .
 openssl (1.1.0f-5) unstable; urgency=medium
 .
   * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
     version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
     calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version().
 .
 openssl (1.1.0f-4) unstable; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * Add support for arm64ilp32, patch by Wookey (Closes: #867240)
 .
   [ Kurt Roeckx ]
   * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
     version. This will likely break things, but the hope is that by
     the release of Buster everything will speak at least TLS 1.2. This will be
     reconsidered before the Buster release.
   * Fix a race condition in the test suite (Closes: #869856)
 .
 openssl (1.1.0f-3) unstable; urgency=medium
 .
   * Don't cleanup a thread-local key we didn't create it (Closes: #863707)
 .
 openssl (1.1.0f-2) unstable; urgency=medium
 .
   * Make the udeb use a versioned depends (Closes: #864080)
   * Conflict with libssl1.0-dev (Closes: #863367)
 .
 openssl (1.1.0f-1) unstable; urgency=medium
 .
   * New upstream version
     - Fix regression in req -x509 (Closes: #839575)
     - Properly detect features on the AMD Ryzen processor (Closes: #861145)
     - Don't mention -tls1_3 in the manpage (Closes: #859191)
   * Update libssl1.1.symbols for new symbols
   * Update man-section.patch
 .
 openssl (1.1.0e-2) unstable; urgency=medium
 .
   * Make openssl depend on perl-base (Closes: #860254)
 .
 openssl (1.1.0e-1) unstable; urgency=high
 .
   * New upstream version
     - Fixes CVE-2017-3733
     - Remove patches that are applied upstream.
 .
 openssl (1.1.0d-2) unstable; urgency=medium
 .
   * Fix building of arch and all packages in a minimal environment
     (Closes: #852900).
   * Fix precomputing SHA1 by adding the following patches from upstream:
     - Add-a-couple-of-test-to-check-CRL-fingerprint.patch
     - Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
     - X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
     (Closes: #852920).
 .
 openssl (1.1.0d-1) unstable; urgency=medium
 .
   * New Upstream release
     - Fixes CVE-2017-3731
     - Fixes CVE-2017-3730
     - Fixes CVE-2017-3732
     - drop revert_ssl_read.patch and
       0001-Add-missing-zdelete-for-some-linux-arches.patch, applied upstream.
   * add new symbols.
 .
 openssl (1.1.0c-4) unstable; urgency=medium
 .
   * Make build-indep build again.
   * Don't depend on perl:any in openssl as it breaks debootstrap
    ("Closes: #852017).
 .
 openssl (1.1.0c-3) unstable; urgency=medium
 .
   * Add myself as Uploader.
   * Add support for tilegx, patch by Helmut Grohne (Closes: #848957).
   * redo the rules file to some newer debhelper:
     - everyfile should remain, nothing should get lost
     - the scripts in the doc package gained an exec bit
     - openssl gained a dep on perl (the package contains perl scripts)
     - libssl1.0.2-dbg is gone, we have dbgsym now
     - dh compat 10
     - pkg.install instead of pkg.files is used for install
   * Mark libssl-doc as MA foreign
   * Update Standards-Version from 3.9.5 to 3.9.8. No changes required.
   * Document the change for openssl's enc command between 1.1.0 and pre 1.1.0
     in the NEWS file (Closes: #843064).
   * Add an override for lintian for the non-standard private directory
 .
 openssl (1.1.0c-2) unstable; urgency=medium
 .
   * Revert behaviour of SSL_read() and SSL_write(), and update documentation.
     (Closes: #844234)
   * Add missing -zdelete on x32 (Closes: #844715)
   * Add a Breaks on salt-common. Addresses #844706
 .
 openssl (1.1.0c-1) unstable; urgency=medium
 .
   * New upstrem release
     - Fix CVE-2016-7053
     - Fix CVE-2016-7054
     - Fix CVE-2016-7055
   * remove no-rpath.patch, applied upstream.
   * Remove old d2i test cases, use the one from the upstream tarball.
   * Update libssl1.1.symbols for new sysmbols.
 .
 openssl (1.1.0b-2) unstable; urgency=low
 .
   * Upload to unstable
 .
 openssl (1.1.0b-1) experimental; urgency=medium
 .
   * New upstream release
     - Fixes CVE-2016-6309
 .
 openssl (1.1.0a-1) experimental; urgency=medium
 .
   * New upstream release
     - Fix CVE-2016-6304
     - Fix CVE-2016-6305
     - Fix CVE-2016-6307
     - Fix CVE-2016-6308
   * Update c_rehash-compat.patch to apply to new version.
   * Update symbol file.
 .
 openssl (1.1.0-1) experimental; urgency=medium
 .
   [ Kurt Roeckx ]
   * New upstream version
   * Use Package-Type instead of XC-Package-Type
   * Remove "Priority: optional" in the binary packages.
   * Add Homepage
   * Use dpkg-buildflags's LDFLAGS also for building the shared libraries.
 .
   [ Sebastian Andrzej Siewior ]
   * drop config-hurd.patch, we don't use `config' and it works without the
     patch.
   * Drop depend on zlib1g-dev since we don't use it anymore (Closes: #767207)
   * Make the openssl package Multi-Arch: foregin (Closes: #827028)
 .
 openssl (1.1.0~pre6-1) experimental; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * drop engines-path.patch. Upstream uses a 1.1 suffixes now.
 .
   [ Kurt Roeckx ]
   * New upstream version
   * Drop upstream snapshot
   * Update symbols file
   * Use some https instead of http URLs
 .
 openssl (1.1.0~pre5-5) experimental; urgency=medium
 .
   * Update snapshot to commit fe964f0c88f6780fd30b26e306484b981b0a8480
 .
 openssl (1.1.0~pre5-4) experimental; urgency=medium
 .
   * Update snapshot to commit c32bdbf171ce6650ef045ec47b5abe0de7c264db
   * Remove utils-mkdir-p-check-if-dir-exists-also-after-mkdir-f.patch, applied
     upstream
 .
 openssl (1.1.0~pre5-3) experimental; urgency=medium
 .
   [ Kurt Roeckx ]
   * Don't use assembler on hppa, it's not writen for Linux.
 .
 openssl (1.1.0~pre5-2) experimental; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * Run the testsuite with verbose output.
   * Use $(MAKE) so the whole make environment is passed to its child and we
     can build in parallel with -jX
   * Update snapshot to commit 5000a6d1215e ("Fix an error path leak in int
     X509_ATTRIBUTE_set1_data()")
 .
 openssl (1.1.0~pre5-1) experimental; urgency=medium
 .
   * New upstream version with soname change.  Upload to experimental.
     - Rename binary packages
     - Remove patches:
       - block_diginotar.patch: All cross certificates expired in 2013
       - block_digicert_malaysia.patch: intermediate certificates expired in
         2015
       - man-dir.patch: Fixed upstream
       - valgrind.patch: Upstream no longer adds the uninitialized data to the
         RNG
       - shared-lib-ext.patch: No longer needed
       - version-script.patch: Upstream does symbol versioning itself now
       - disable_freelist.patch: No longer needed
       - soname.patch: Was to change to the 1.0.2 soname that upstream never had
       - disable_sslv3_test.patch: Fixed upstream
       - libdoc-manpgs-pod-spell.patch: Fixed upstream (Closes: #813191)
     - Rewrite debian-targets.patch to work with the new configuration system.
     - Update other patches to apply
     - Update list of install docs
     - Use DESTDIR instead of INSTALL_PREFIX
     - Clean up more files
     - Remove the configure option enable-tlsext no-ssl2 since they're no
       longer supported.
   * Add upstream snapshot:
     - Add d2i-tests.tar to get new binary test files.
   * Don't build i686 optimized version anymore on i386, it's now the default.
     (Closes: #823774)
 .
 openssl (1.0.2h-1) unstable; urgency=high
 .
   * New upstream version
     - Fixes CVE-2016-2107
     - Fixes CVE-2016-2105
     - Fixes CVE-2016-2106
     - Fixes CVE-2016-2109
     - Fixes CVE-2016-2176
 .
 openssl (1.0.2g-2) unstable; urgency=medium
 .
   * Use assembler of arm64 (Closes: #794326)
     Patch from Riku Voipio <riku.voipio@iki.fi>
   * Add a udeb for libssl, based on similar changes done in Ubuntu
     starting in version 0.9.8o-4ubuntu1 (Closes: #802591)
     Patch from Margarita Manterola <marga@google.com>
   * Add support for nios2 (Closes: #816239)
     Based on patch from Marek Vasut <marex@denx.de>
   * Update Spanish translation from Manuel "Venturi" Porras Peralta
     <venturi@openmailbox.org> (Closes: #773601)
   * Don't build an i586 optimized version anymore, the default
     already targets that.  Patch from Sven Joachim <svenjoac@gmx.de>
     (Closes: #759811)
Checksums-Sha1:
 316eb96881eb51ded9c05813c4c35f86975c8f1d 2612 openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1.dsc
 9f555c03ccc333e7ab8e9e295a37e4ef9e5cfeee 9975389 openssl_1.1.1g.orig.tar.gz
 d576ae6cbad311c536679b671f16009d814b8bab 83980 openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1.debian.tar.xz
 cda30444241687ce6bfca7f8c10274cf735285f5 7900 openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1_source.buildinfo
Checksums-Sha256:
 d6265dcb29b4a07978bdc1b0db669b57edf9ca9aa02ee52fd83a92a0df8e8398 2612 openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1.dsc
 6e2ab033c80acf353f804c85d554c4fe40cf6941a04b1a8185c30b95caf86396 9975389 openssl_1.1.1g.orig.tar.gz
 3e5be62a921c630992e9b2b5647691f979d0ee693b0ea19a82f3a1de6a211897 83980 openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1.debian.tar.xz
 f085b6f7141b388ece5b01b0c48b2cfa3d24c894884bd66591b0e598d11f3caf 7900 openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1_source.buildinfo
Files:
 48523dc02f88c77725660ed19bbc970b 2612 utils optional openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1.dsc
 a4274921111cf75657b23357d7b8e3b5 9975389 utils optional openssl_1.1.1g.orig.tar.gz
 6d2baa1bbe8276a697c166581abdfc59 83980 utils optional openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1.debian.tar.xz
 173227962e6a7a31eae92dad8c691bf7 7900 utils optional openssl_1.1.1g-1+ubuntu16.04.1+deb.sury.org+1_source.buildinfo