Format: 1.8 Date: Tue, 03 Mar 2015 00:23:39 -0500 Source: openssl Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg Architecture: source Version: 1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1 Distribution: precise Urgency: high Maintainer: Ubuntu Developers Changed-By: Stéphane Graber Description: libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets Layer toolkit - development documentation libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information libssl1.0.0-udeb - ssl shared library - udeb (udeb) openssl - Secure Sockets Layer toolkit - cryptographic utility Closes: 487152 649841 653574 658162 660971 666405 668600 672452 672710 675990 676398 676533 677468 678353 689093 694738 698406 698447 699692 699889 701826 701868 702635 703031 719262 720654 723954 728055 732348 732710 732754 Launchpad-Bugs-Fixed: 1018522 1051892 1066032 1077228 1083498 1102107 1133333 1134873 1187195 1257877 1329297 1332643 Changes: openssl (1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1) precise; urgency=medium . * No-change backport to precise . openssl (1.0.1f-1ubuntu2.8) trusty-security; urgency=medium . * SECURITY UPDATE: denial of service via unexpected handshake when no-ssl3 build option is used (not the default) - debian/patches/CVE-2014-3569.patch: keep the old method for now in ssl/s23_srvr.c. - CVE-2014-3569 * SECURITY UPDATE: bignum squaring may produce incorrect results - debian/patches/CVE-2014-3570.patch: fix bignum logic in crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, crypto/bn/bn_asm.c, removed crypto/bn/asm/mips3.s, added test to crypto/bn/bntest.c. - CVE-2014-3570 * SECURITY UPDATE: DTLS segmentation fault in dtls1_get_record - debian/patches/CVE-2014-3571-1.patch: fix crash in ssl/d1_pkt.c, ssl/s3_pkt.c. - debian/patches/CVE-2014-3571-2.patch: make code more obvious in ssl/d1_pkt.c. - CVE-2014-3571 * SECURITY UPDATE: ECDHE silently downgrades to ECDH [Client] - debian/patches/CVE-2014-3572.patch: don't skip server key exchange in ssl/s3_clnt.c. - CVE-2014-3572 * SECURITY UPDATE: certificate fingerprints can be modified - debian/patches/CVE-2014-8275.patch: fix various fingerprint issues in crypto/asn1/a_bitstr.c, crypto/asn1/a_type.c, crypto/asn1/a_verify.c, crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/x_algor.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, crypto/x509/x509.h, crypto/x509/x_all.c. - CVE-2014-8275 * SECURITY UPDATE: RSA silently downgrades to EXPORT_RSA [Client] - debian/patches/CVE-2015-0204.patch: only allow ephemeral RSA keys in export ciphersuites in ssl/d1_srvr.c, ssl/s3_clnt.c, ssl/s3_srvr.c, ssl/ssl.h, adjust documentation in doc/ssl/SSL_CTX_set_options.pod, doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod. - CVE-2015-0204 * SECURITY UPDATE: DH client certificates accepted without verification - debian/patches/CVE-2015-0205.patch: prevent use of DH client certificates without sending certificate verify message in ssl/s3_srvr.c. - CVE-2015-0205 * SECURITY UPDATE: DTLS memory leak in dtls1_buffer_record - debian/patches/CVE-2015-0206.patch: properly handle failures in ssl/d1_pkt.c. - CVE-2015-0206 . openssl (1.0.1f-1ubuntu2.7) trusty-security; urgency=medium . * SECURITY UPDATE: denial of service via DTLS SRTP memory leak - debian/patches/CVE-2014-3513.patch: fix logic in ssl/d1_srtp.c, ssl/srtp.h, ssl/t1_lib.c, util/mk1mf.pl, util/mkdef.pl, util/ssleay.num. - CVE-2014-3513 * SECURITY UPDATE: denial of service via session ticket integrity check memory leak - debian/patches/CVE-2014-3567.patch: perform cleanup in ssl/t1_lib.c. - CVE-2014-3567 * SECURITY UPDATE: fix the no-ssl3 build option - debian/patches/CVE-2014-3568.patch: fix conditional code in ssl/s23_clnt.c, ssl/s23_srvr.c. - CVE-2014-3568 * SECURITY IMPROVEMENT: Added TLS_FALLBACK_SCSV support to mitigate a protocol downgrade attack to SSLv3 that exposes the POODLE attack. - debian/patches/tls_fallback_scsv_support.patch: added support for TLS_FALLBACK_SCSV in apps/s_client.c, crypto/err/openssl.ec, ssl/d1_lib.c, ssl/dtls1.h, ssl/s23_clnt.c, ssl/s23_srvr.c, ssl/s2_lib.c, ssl/s3_enc.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl3.h, ssl/ssl_err.c, ssl/ssl_lib.c, ssl/t1_enc.c, ssl/tls1.h, doc/apps/s_client.pod, doc/ssl/SSL_CTX_set_mode.pod. . openssl (1.0.1f-1ubuntu2.5) trusty-security; urgency=medium . * SECURITY UPDATE: double free when processing DTLS packets - debian/patches/CVE-2014-3505.patch: fix double free in ssl/d1_both.c. - CVE-2014-3505 * SECURITY UPDATE: DTLS memory exhaustion - debian/patches/CVE-2014-3506.patch: fix DTLS handshake message size checks in ssl/d1_both.c. - CVE-2014-3506 * SECURITY UPDATE: DTLS memory leak from zero-length fragments - debian/patches/CVE-2014-3507.patch: fix memory leak and return codes in ssl/d1_both.c. - CVE-2014-3507 * SECURITY UPDATE: information leak in pretty printing functions - debian/patches/CVE-2014-3508.patch: fix OID handling in crypto/asn1/a_object.c, crypto/objects/obj_dat.c. - CVE-2014-3508 * SECURITY UPDATE: race condition in ssl_parse_serverhello_tlsext - debian/patches/CVE-2014-3509.patch: fix race in ssl/t1_lib.c. - CVE-2014-3509 * SECURITY UPDATE: DTLS anonymous EC(DH) denial of service - debian/patches/CVE-2014-3510.patch: check for server certs in ssl/d1_clnt.c, ssl/s3_clnt.c. - CVE-2014-3510 * SECURITY UPDATE: TLS protocol downgrade attack - debian/patches/CVE-2014-3511.patch: properly handle fragments in ssl/s23_srvr.c. - CVE-2014-3511 * SECURITY UPDATE: SRP buffer overrun - debian/patches/CVE-2014-3512.patch: check parameters in crypto/srp/srp_lib.c. - CVE-2014-3512 * SECURITY UPDATE: crash with SRP ciphersuite in Server Hello message - debian/patches/CVE-2014-5139.patch: fix SRP authentication and make sure ciphersuite is set up correctly in ssl/s3_clnt.c, ssl/ssl_lib.c, ssl/s3_lib.c, ssl/ssl.h, ssl/ssl_ciph.c, ssl/ssl_locl.h. - CVE-2014-5139 . openssl (1.0.1f-1ubuntu2.4) trusty-security; urgency=medium . * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643) - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after sending finished ssl/s3_clnt.c. . openssl (1.0.1f-1ubuntu2.3) trusty-security; urgency=medium . * SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297) - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using tls_session_secret_cb for session resumption in ssl/s3_clnt.c. . openssl (1.0.1f-1ubuntu2.2) trusty-security; urgency=medium . * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS fragments in ssl/d1_both.c. - CVE-2014-0195 * SECURITY UPDATE: denial of service via DTLS recursion flaw - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without recursion in ssl/d1_both.c. - CVE-2014-0221 * SECURITY UPDATE: MITM via change cipher spec - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, ssl/ssl3.h. - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master secrets in ssl/s3_pkt.c. - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in ssl/s3_clnt.c. - CVE-2014-0224 * SECURITY UPDATE: denial of service via ECDH null session cert - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL before dereferencing it in ssl/s3_clnt.c. - CVE-2014-3470 . openssl (1.0.1f-1ubuntu2.1) trusty-security; urgency=medium . * SECURITY UPDATE: denial of service via use after free - debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before releasing buffers in ssl/s3_pkt.c. - CVE-2010-5298 * SECURITY UPDATE: denial of service via null pointer dereference - debian/patches/CVE-2014-0198.patch: if buffer was released, get a new one in ssl/s3_pkt.c. - CVE-2014-0198 . openssl (1.0.1f-1ubuntu2) trusty; urgency=medium . * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation - debian/patches/CVE-2014-0076.patch: add and use constant time swap in crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c, util/libeay.num. - CVE-2014-0076 * SECURITY UPDATE: memory disclosure in TLS heartbeat extension - debian/patches/CVE-2014-0160.patch: use correct lengths in ssl/d1_both.c, ssl/t1_lib.c. - CVE-2014-0160 . openssl (1.0.1f-1ubuntu1) trusty; urgency=low . * Merge with Debian, remaining changes. - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly code. - debian/rules: Enable optimized 64bit elliptic curve code contributed by Google. * Dropped changes: - debian/patches/arm64-support: included in debian-targets.patch - debian/patches/no_default_rdrand.patch: upstream - debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely disabled in debian/rules . openssl (1.0.1f-1) unstable; urgency=high . * New upstream version - Fix for TLS record tampering bug CVE-2013-4353 - Drop the snapshot patch * update watch file to check for upstream signature and add upstream pgp key. * Drop conflicts against openssh since we now on a released version again. . openssl (1.0.1e-6) unstable; urgency=medium . * Add Breaks: openssh-client (<< 1:6.4p1-1.1), openssh-server (<< 1:6.4p1-1.1). This is to prevent people running into #732940. This Breaks can be removed again when we stop using a git snapshot. . openssl (1.0.1e-5) unstable; urgency=low . * Change default digest to SHA256 instead of SHA1. (Closes: #694738) * Drop support for multiple certificates in 1 file. It never worked properly in the first place, and the only one shipping in ca-certificates has been split. * Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors * Remove make-targets.patch. It prevented the test dir from being cleaned. * Update to a git snapshot of the OpenSSL_1_0_1-stable branch. - Fixes CVE-2013-6449 (Closes: #732754) - Fixes CVE-2013-6450 - Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch dtls_version.patch get_certificate.patch, since they where all already commited upstream. - adjust fix-pod-errors.patch for the reordering of items in the documentation they've done trying to fix those pod errors. - disable rdrand engine by default (Closes: #732710) * disable zlib support. Fixes CVE-2012-4929 (Closes: #728055) * Add arm64 support (Closes: #732348) * Properly use the default number of bits in req when none are given . openssl (1.0.1e-4ubuntu4) trusty; urgency=low . * debian/patches/no_default_rdrand.patch: Don't use rdrand engine as default unless explicitly requested. . openssl (1.0.1e-4ubuntu3) trusty; urgency=medium . * Update debian configuration. . openssl (1.0.1e-4ubuntu2) trusty; urgency=low . * Re-enable full TLSv1.2 support (LP: #1257877) - debian/patches/tls12_workarounds.patch: disable patch to re-enable full TLSv1.2 support. Most problematic sites have been fixed now, and we really want proper TLSv1.2 support in an LTS. . openssl (1.0.1e-4ubuntu1) trusty; urgency=low . * Merge with Debian; remaining changes same as in 1.0.1e-3ubuntu1. . openssl (1.0.1e-4) unstable; urgency=low . [ Peter Michael Green ] * Fix pod errors (Closes: #723954) * Fix clean target . [ Kurt Roeckx ] * Add mipsn32 and mips64 targets. Patch from Eleanor Chen (Closes: #720654) * Add support for nocheck in DEB_BUILD_OPTIONS * Update Norwegian translation (Closes: #653574) * Update description of the packages. Patch by Justin B Rye (Closes: #719262) * change to debhelper compat level 9: - change dh_strip call so only the files from libssl1.0.0 get debug symbols. - change dh_makeshlibs call so the engines don't get added to the shlibs * Update Standards-Version from 3.8.0 to 3.9.5. No changes required. . openssl (1.0.1e-3ubuntu1) saucy; urgency=low . * Merge with Debian, remaining changes. - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially *multiple* certificates rather than exactly one. - debian/patches/tls12_workarounds.patch: Workaround large client hello issues when TLS 1.1 and lower is in use - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly code. - debian/patches/arm64-support: Add basic arm64 support (no assembler) - debian/rules: Enable optimized 64bit elliptic curve code contributed by Google. * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2 in test suite since we disable it in the client. * Disable compression to avoid CRIME systemwide (CVE-2012-4929). * Dropped changes: - debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian. . openssl (1.0.1e-3) unstable; urgency=low . * Move to /usr/include/$(DEB_HOST_MULTIARCH), and mark libssl-dev Multi-Arch: same. Patch by Colin Watson (Closes: #689093) * Add Polish translation (Closes: #658162) * Add Turkish translation (Closes: #660971) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio (Closes: #676533) * Add support for x32 (Closes: #698406) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) . openssl (1.0.1e-2ubuntu1.1) saucy-security; urgency=low . * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch . openssl (1.0.1e-2ubuntu1) saucy; urgency=low . * Resynchronise with Debian unstable. Remaining changes: - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially *multiple* certificates rather than exactly one. - debian/patches/tls12_workarounds.patch: Workaround large client hello issues when TLS 1.1 and lower is in use - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly code. - debian/patches/arm64-support: Add basic arm64 support (no assembler) - debian/rules: Enable optimized 64bit elliptic curve code contributed by Google. * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2 in test suite since we disable it in the client. * Dropped changes: - debian/patches/CVE-2013-0169.patch: upstream. - debian/patches/fix_key_decoding_deadlock.patch: upstream. - debian/patches/CVE-2013-0166.patch: upstream. . openssl (1.0.1e-2) unstable; urgency=high . * Bump shlibs. It's needed for the udeb. * Make cpuid work on cpu's that don't set ecx (Closes: #699692) * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353) * Fix problem with DTLS version check (Closes: #701826) * Fix segfault in SSL_get_certificate (Closes: #703031) . openssl (1.0.1e-1) unstable; urgency=high . * New upstream version (Closes: #699889) - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166 - Drop renegiotate_tls.patch, applied upstream - Export new CRYPTO_memcmp symbol, update symbol file * Add ssltest_no_sslv2.patch so that "make test" works. . openssl (1.0.1c-5) unstable; urgency=low . * Re-enable assembler versions on sparc. They shouldn't have been disabled for sparc v9. (Closes: #649841) . openssl (1.0.1c-4ubuntu8) raring; urgency=low . * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra commit from upstream to fix regression. - CVE-2013-0169 . openssl (1.0.1c-4ubuntu7) raring; urgency=low . * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522) . openssl (1.0.1c-4ubuntu6) raring; urgency=low . * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock when decoding public keys. (LP: #1066032) . openssl (1.0.1c-4ubuntu5) raring; urgency=low . * REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873, LP: #1133333) - debian/patches/CVE-2013-0169.patch: disabled for now until fix is available from upstream. . openssl (1.0.1c-4ubuntu4) raring; urgency=low . * SECURITY UPDATE: denial of service via invalid OCSP key - debian/patches/CVE-2013-0166.patch: properly handle NULL key in crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. - CVE-2013-0166 * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack - debian/patches/CVE-2013-0169.patch: massive code changes - CVE-2013-0169 * SECURITY UPDATE: denial of service via AES-NI and crafted CBC data - Fix included in CVE-2013-0169 patch - CVE-2012-2686 . openssl (1.0.1c-4ubuntu3) raring; urgency=low . * Add basic arm64 support (no assembler) (LP: #1102107) . openssl (1.0.1c-4ubuntu2) raring; urgency=low . * Enable arm assembly code. (LP: #1083498) (Closes: #676533) . openssl (1.0.1c-4ubuntu1) raring; urgency=low . * Resynchronise with Debian (LP: #1077228). Remaining changes: - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially *multiple* certificates rather than exactly one. - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. - debian/patches/tls12_workarounds.patch: Workaround large client hello issues when TLS 1.1 and lower is in use - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* * Dropped changes: - Drop openssl-doc in favour of the libssl-doc package introduced by Debian. Add Conflicts/Replaces until the next LTS release. + Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS release' . openssl (1.0.1c-4) unstable; urgency=low . * Fix the configure rules for alpha (Closes: #672710) * Switch the postinst to sh again, there never was a reason to switch it to bash (Closes: #676398) * Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are preprocessed. We generate the file again for pic anyway. (Closes: #677468) * Drop Breaks against openssh as it was only for upgrades between versions that were only in testing/unstable. (Closes: #668600) . openssl (1.0.1c-3ubuntu2) quantal; urgency=low . [ Tyler Hicks ] * debian/patches/tls12_workarounds.patch: Readd the change to check TLS1_get_client_version rather than TLS1_get_version to fix incorrect client hello cipher list truncation when TLS 1.1 and lower is in use. (LP: #1051892) . [ Micah Gersten ] * Mark Debian Vcs-* as XS-Debian-Vcs-* - update debian/control . openssl (1.0.1c-3ubuntu1) quantal; urgency=low . * Resynchronise with Debian. Remaining changes: - debian/libssl1.0.0.postinst: + Display a system restart required notification on libssl1.0.0 upgrade on servers. + Use a different priority for libssl1.0.0/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package in Debian). - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. - debian/rules: + Don't run 'make test' when cross-building. + Use host compiler when cross-building. Patch from Neil Williams. + Don't build for processors no longer supported: i586 (on i386) + Fix Makefile to properly clean up libs/ dirs in clean target. + Replace duplicate files in the doc directory with symlinks. - Unapply patch c_rehash-multi and comment it out in the series as it breaks parsing of certificates with CRLF line endings and other cases (see Debian #642314 for discussion), it also changes the semantics of c_rehash directories by requiring applications to parse hash link targets as files containing potentially *multiple* certificates rather than exactly one. - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. - debian/patches/tls12_workarounds.patch: workaround large client hello issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and with -DOPENSSL_NO_TLS1_2_CLIENT. * Dropped upstreamed patches: - debian/patches/CVE-2012-2110.patch - debian/patches/CVE-2012-2110b.patch - debian/patches/CVE-2012-2333.patch - debian/patches/CVE-2012-0884-extra.patch - most of debian/patches/tls12_workarounds.patch . openssl (1.0.1c-3) unstable; urgency=low . * Disable padlock engine again, causes problems for hosts not supporting it. . openssl (1.0.1c-2) unstable; urgency=high . * Fix renegiotation when using TLS > 1.0. This breaks tor. Patch from upstream. (Closes: #675990) * Enable the padlock engine by default. * Change default bits from 1024 to 2048 (Closes: #487152) . openssl (1.0.1c-1) unstable; urgency=high . * New upstream version - Fixes CVE-2012-2333 (Closes: #672452) . openssl (1.0.1b-1) unstable; urgency=high . * New upstream version - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0 can talk to servers supporting TLS 1.1 but not TLS 1.2 - Drop rc4_hmac_md5.patch, applied upstream . openssl (1.0.1a-3) unstable; urgency=low . * Use patch from upstream for the rc4_hmac_md5 issue. . openssl (1.0.1a-2) unstable; urgency=low . * Fix rc4_hmac_md5 on non-i386/amd64 arches. . openssl (1.0.1a-1) unstable; urgency=high . * New upstream version - Fixes CVE-2012-2110 - Fix crash in rc4_hmac_md5 (Closes: #666405) - Fixes some issues with talking to other servers when TLS 1.1 and 1.2 is supported - Drop patches no_ssl2.patch vpaes.patch tls1.2_client_algorithms.patch, applied upstream. . openssl (1.0.1-4ubuntu6) quantal; urgency=low . * SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and TLS v1.2 implementation - debian/patches/CVE_2012-2333.patch: guard for integer overflow before skipping explicit IV - CVE-2012-2333 * debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen properly when encrypting CMS messages. Checksums-Sha1: fbb9610e41be9ae18806129c92297e435f0deac8 2442 openssl_1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1.dsc 9ef09e97dfc9f14ac2c042f3b7e301098794fc0f 4509212 openssl_1.0.1f.orig.tar.gz 03e18c836d2fd78bdd760399b5e2512741f082fa 154369 openssl_1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1.debian.tar.gz Checksums-Sha256: f8dc8ebfb628c6989f877edfcb32827c072631063347c570491c3b6566a04799 2442 openssl_1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1.dsc 6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a 4509212 openssl_1.0.1f.orig.tar.gz 99e1687ad0e9a78f261928a90cdda3ab2c1981a00cb220601682989c1ef3778d 154369 openssl_1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1.debian.tar.gz Files: 2ed4b83392b43f90cb842b814de3b254 2442 utils optional openssl_1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1.dsc f26b09c028a0541cab33da697d522b25 4509212 utils optional openssl_1.0.1f.orig.tar.gz db7c0d0013f9a34a63809f1dbbe05583 154369 utils optional openssl_1.0.1f-1ubuntu2.8~ubuntu12.04.1~ppa1.debian.tar.gz Original-Maintainer: Debian OpenSSL Team