-
openssl (3.2.1-3) unstable; urgency=medium
* Upload to unstable.
* Correct prvious security level in NEWS file (Closes: #1066116).
-- Sebastian Andrzej Siewior <email address hidden> Thu, 04 Apr 2024 22:00:04 +0200
-
openssl (3.1.5-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1064264
-- Benjamin Drung <email address hidden> Thu, 29 Feb 2024 12:55:38 +0000
-
openssl (3.1.5-1) unstable; urgency=medium
* Import 3.1.5
- CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
- CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
(Closes: #1060858).
- CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
PowerPC) (Closes: #1060347).
-- Sebastian Andrzej Siewior <email address hidden> Sat, 03 Feb 2024 17:11:24 +0100
-
openssl (3.1.4-2) unstable; urgency=medium
* Invoke clean up from the openssl binary as a temporary workaround to avoid
a crash in libp11/SoftHSM engine (Closes: #1054546).
* CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
parameter value) (Closes: #1055473).
* Upload to unstable.
-- Sebastian Andrzej Siewior <email address hidden> Sat, 25 Nov 2023 21:35:59 +0100
-
openssl (3.0.12-2) unstable; urgency=medium
* Invoke clean up from the openssl binary as a temporary workaround to avoid
a crash in libp11/SoftHSM engine (Closes: #1054546).
* CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
parameter value) (Closes: #1055473).
-- Sebastian Andrzej Siewior <email address hidden> Wed, 08 Nov 2023 21:48:52 +0100
-
openssl (3.0.12-1) unstable; urgency=medium
* Import 3.0.12
- CVE-2023-5363 (Incorrect cipher key and IV length processing).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 24 Oct 2023 21:40:37 +0200
-
openssl (3.0.11-1) unstable; urgency=medium
* Import 3.0.11
-- Sebastian Andrzej Siewior <email address hidden> Tue, 19 Sep 2023 18:58:30 +0200
-
openssl (3.0.11-1~deb12u2) bookworm-security; urgency=medium
* CVE-2023-5363 (Incorrect cipher key and IV length processing).
-- Sebastian Andrzej Siewior <email address hidden> Mon, 23 Oct 2023 19:52:22 +0200
-
openssl (3.0.11-1~deb12u1) bookworm; urgency=medium
* Import 3.0.11
-- Sebastian Andrzej Siewior <email address hidden> Tue, 26 Sep 2023 21:08:42 +0200
-
openssl (3.0.10-1) unstable; urgency=medium
* Import 3.0.10
- CVE-2023-2975 (AES-SIV implementation ignores empty associated data
entries) (Closes: #1041818).
- CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
(Closes: #1041817).
- CVE-2023-3817 (Excessive time spent checking DH q parameter value).
- Drop bc and m4 from B-D.
-- Sebastian Andrzej Siewior <email address hidden> Tue, 01 Aug 2023 22:00:05 +0200
-
openssl (3.0.9-1) unstable; urgency=medium
* Import 3.0.7
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
silently ignored).
- CVE-2023-0466 (Certificate policy check not enabled).
- Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
- CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
- Add new symbol.
-- Sebastian Andrzej Siewior <email address hidden> Tue, 30 May 2023 18:12:36 +0200
-
openssl (3.0.8-1) unstable; urgency=medium
* Import 3.0.7
- CVE-2023-0401 (NULL dereference during PKCS7 data verification).
- CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
- CVE-2023-0217 (NULL dereference validating DSA public key).
- CVE-2023-0216 (Invalid pointer dereference in d2i_PKCS7 functions).
- CVE-2023-0215 (Use-after-free following BIO_new_NDEF).
- CVE-2022-4450 (Double free after calling PEM_read_bio_ex).
- CVE-2022-4304 (Timing Oracle in RSA Decryption).
- CVE-2022-4203 (X.509 Name Constraints Read Buffer Overflow).
- Padlock: fix byte swapping assembly for AES-192 and 256
(Closes: #1029259).
- Add new symbol.
* Make loongarch64 little endian (Closes: #1029281).
* Drop conflict against libssl1.0-dev.
* Update Standards-Version to 4.6.1. No changes required.
-- Sebastian Andrzej Siewior <email address hidden> Tue, 07 Feb 2023 21:42:42 +0100
-
openssl (3.0.7-2) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* CVE-2022-3996 (X.509 Policy Constraints Double Locking) (Closes: #1027102).
* Add loongarch64 target (Closes: #1024414).
* Avoid SIGSEGV with engines, reported by ValdikSS (Closes: #1028898).
* Set digestname from argv[0] if it is a builtin hash name
(Closes:# 1025461).
[ Helmut Grohne ]
* Support the noudeb build profile (Closes: #1024929).
-- Sebastian Andrzej Siewior <email address hidden> Thu, 19 Jan 2023 21:31:42 +0100
-
openssl (3.0.7-1) unstable; urgency=medium
* Import 3.0.7
- Using a Custom Cipher with NID_undef may lead to NULL encryption
(CVE-2022-3358) (Closes: #1021620).
- X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
- X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
* Disable rdrand engine (the opcode on x86).
* Remove config bits for MIPS R6, the generic MIPS config can be used.
-- Sebastian Andrzej Siewior <email address hidden> Tue, 01 Nov 2022 21:39:01 +0100
-
openssl (3.0.5-4) unstable; urgency=medium
* Add ssl_conf() serialisation (Closes: #1020308).
-- Sebastian Andrzej Siewior <email address hidden> Mon, 19 Sep 2022 21:59:19 +0200
-
openssl (3.0.5-3) unstable; urgency=medium
* Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
(Closes: #805646).
* Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).
-- Sebastian Andrzej Siewior <email address hidden> Sun, 18 Sep 2022 21:48:05 +0200
-
openssl (3.0.5-2) unstable; urgency=medium
* Update to commit ce3951fc30c7b ("VC++ 2008 or earlier x86 compilers…")
(Closes: #1016290).
-- Sebastian Andrzej Siewior <email address hidden> Sun, 14 Aug 2022 21:57:05 +0200
-
openssl (3.0.5-1) unstable; urgency=medium
* Import 3.0.5
- Possible module_list_lock crash (Closes: #1013309).
* Update to 55461bf22a57a ("Don't try to make configuration leaner")
* Use -latomic on arc,nios2 and sparc (Closes: #1015792).
-- Sebastian Andrzej Siewior <email address hidden> Sun, 24 Jul 2022 16:30:30 +0200
-
openssl (3.0.4-2) unstable; urgency=medium
* Address a AVX2 related memory corruption (Closes: #1013441).
-- Sebastian Andrzej Siewior <email address hidden> Fri, 24 Jun 2022 19:27:02 +0200
-
openssl (3.0.4-1) unstable; urgency=medium
* Import 3.0.3
- CVE-2022-2068 (The c_rehash script allows command injection)
-- Sebastian Andrzej Siewior <email address hidden> Wed, 22 Jun 2022 08:04:00 +0200
-
openssl (3.0.3-8) unstable; urgency=medium
* Update to openssl-3.0 head.
* Avoid reusing the init_lock for a different purpose (Closes: #1011339).
-- Sebastian Andrzej Siewior <email address hidden> Mon, 13 Jun 2022 22:16:39 +0200
-
openssl (3.0.3-7) unstable; urgency=medium
* Remove the provider section from the provided openssl.cnf
(Closes: #1011051).
-- Sebastian Andrzej Siewior <email address hidden> Wed, 08 Jun 2022 23:10:14 +0200
-
openssl (3.0.3-6) unstable; urgency=medium
* Update to openssl-3.0 head which fixes the expired certs in the testsuite.
-- Sebastian Andrzej Siewior <email address hidden> Sat, 04 Jun 2022 15:25:53 +0200
-
openssl (3.0.3-5) unstable; urgency=medium
* Don't generate endbr32 opcodes on i386. Thanks to Wolfgang Walter
(Closes: #1011127).
* Backport more compare fixes from upstream.
-- Sebastian Andrzej Siewior <email address hidden> Fri, 20 May 2022 22:01:29 +0200
-
openssl (3.0.3-4) unstable; urgency=medium
* Add an init to EVP_PKEY_Q_keygen(). GH#18247, reference 1010958.
-- Sebastian Andrzej Siewior <email address hidden> Mon, 16 May 2022 23:20:27 +0200
-
openssl (3.0.3-3) unstable; urgency=medium
* Revert "Use .s extension for ia64 assembler" and don't zero used
registers. Thanks to John Paul Adrian Glaubitz for debugging
(Closes: #1010975).
* Don't build ev4/ev5 optimized libraries on alpha.
-- Sebastian Andrzej Siewior <email address hidden> Sat, 14 May 2022 21:50:31 +0200
-
openssl (3.0.3-2) unstable; urgency=medium
* Update standards to 4.6.1. No changes were needed.
* Upload to unstable.
-- Sebastian Andrzej Siewior <email address hidden> Fri, 13 May 2022 23:25:01 +0200
-
openssl (1.1.1o-1) unstable; urgency=medium
* New upstream version.
- CVE-2022-1292 (The c_rehash script allows command injection).
* The orig tar file is now signed with a stronger hash (Closes: #1007808).
* Use a separator in the CipherString in openssl.cnf (Closes: #948800).
* Remove the postinst script which was used to restart daemons after a
library upgrade. It is not updated and essentially dead code. Users are
advised to switch to checkrestart/ needrestart or a similar service.
Thanks to Helmut Grohne (Closes: #983722, #743957).
-- Sebastian Andrzej Siewior <email address hidden> Fri, 06 May 2022 22:20:36 +0200
-
openssl (1.1.1n-1) unstable; urgency=medium
* New upstream version.
- CVE-2022-0778 (Infinite loop in BN_mod_sqrt() reachable when parsing
certificates).
- CVE-2021-4160 (Carry propagation bug in the MIPS32 and MIPS64 squaring
procedure.)
* Use swapcontext() on IA64.
-- Sebastian Andrzej Siewior <email address hidden> Tue, 15 Mar 2022 19:46:18 +0100
-
openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium
* CVE-2022-2068 (The c_rehash script allows command injection).
* Update expired certs.
-- Sebastian Andrzej Siewior <email address hidden> Fri, 24 Jun 2022 22:22:19 +0200
-
openssl (1.1.1n-0+deb11u1) bullseye; urgency=medium
* New upstream version.
-- Sebastian Andrzej Siewior <email address hidden> Fri, 18 Mar 2022 19:25:07 +0100
-
openssl (1.1.1m-1) unstable; urgency=medium
* New upstream version.
- Fix builds on kfreebsd (Closes: #993501).
* Add arc, patch by Vineet Gupta (Closes: #989442).
-- Sebastian Andrzej Siewior <email address hidden> Fri, 24 Dec 2021 13:15:37 +0100
-
openssl (1.1.1l-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-3711 (SM2 Decryption Buffer Overflow).
- CVE-2021-3712 (Read buffer overruns processing ASN.1 strings).
-- Sebastian Andrzej Siewior <email address hidden> Wed, 25 Aug 2021 00:19:05 +0200
-
openssl (1.1.1k-1+deb11u1) bullseye-security; urgency=medium
* CVE-2021-3711 (SM2 Decryption Buffer Overflow).
* CVE-2021-3712 (Read buffer overruns processing ASN.1 strings).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 24 Aug 2021 10:28:12 +0200
-
openssl (1.1.1k-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
- CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
-- Sebastian Andrzej Siewior <email address hidden> Thu, 25 Mar 2021 21:49:34 +0100
-
openssl (1.1.1j-1) unstable; urgency=medium
* New upstream version.
- CVE-2021-23841 (NULL pointer deref in X509_issuer_and_serial_hash()).
- CVE-2021-23840 (Possible overflow of the output length argument in
EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate()).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 16 Feb 2021 20:50:01 +0100
-
openssl (1.1.1i-3) unstable; urgency=medium
* Cherry-pick a patch from upstream to address #13931.
* Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
-- Sebastian Andrzej Siewior <email address hidden> Sat, 30 Jan 2021 14:06:46 +0100
-
openssl (1.1.1i-2) unstable; urgency=medium
* Apply two patches from upstream to address x509 related regressions.
-- Sebastian Andrzej Siewior <email address hidden> Sun, 17 Jan 2021 20:08:26 +0100
-
openssl (1.1.1i-1) unstable; urgency=medium
* New upstream version.
- CVE-2020-1971 (EDIPARTYNAME NULL pointer de-reference).
- Restore rejection of expired trusted (root) certificate
(Closes: #976465).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 08 Dec 2020 20:32:32 +0100
-
openssl (1.1.1h-1) unstable; urgency=medium
* New upstream version
* Disable CAPI engine, it is designed for Windows.
-- Sebastian Andrzej Siewior <email address hidden> Sun, 11 Oct 2020 00:00:47 +0200
-
openssl (1.1.1g-1) unstable; urgency=medium
* New upstream version
- CVE-2020-1967 (Segmentation fault in SSL_check_chain).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 21 Apr 2020 21:45:21 +0200
-
openssl (1.1.1f-1) unstable; urgency=medium
* New upstream version
- Revert the change of EOF detection to avoid regressions in applications.
(Closes: #955442).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 31 Mar 2020 23:59:59 +0200
-
openssl (1.1.1e-1) unstable; urgency=medium
* Use dh-compat level 12.
* New upstream version
- CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
(Closes: #947949).
* Update symbol list.
* Update Standards-Version to 4.5.0. No changes required.
* Add musl configurations (Closes: #941765).
-- Sebastian Andrzej Siewior <email address hidden> Wed, 18 Mar 2020 20:59:39 +0100
-
openssl (1.1.1d-2) unstable; urgency=medium
* Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).
-- Sebastian Andrzej Siewior <email address hidden> Sat, 12 Oct 2019 21:37:55 +0200
-
openssl (1.1.1d-1) unstable; urgency=medium
* New upstream version
- CVE-2019-1549 (Fixed a fork protection issue).
- CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP
construction).
- CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey).
* Update symbol list
-- Sebastian Andrzej Siewior <email address hidden> Sat, 14 Sep 2019 00:38:12 +0200
-
openssl (1.1.1d-0+deb10u5) buster-security; urgency=medium
* CVE-2021-23841 (NULL pointer deref in X509_issuer_and_serial_hash()).
* CVE-2021-23840 (Possible overflow of the output length argument in
EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate()).
* CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
(Closes: #947949).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 16 Feb 2021 23:08:43 +0100
-
openssl (1.1.1d-0+deb10u4) buster-security; urgency=medium
* CVE-2020-1971 (EDIPARTYNAME NULL pointer de-reference).
-- Sebastian Andrzej Siewior <email address hidden> Mon, 07 Dec 2020 21:44:45 +0100
-
openssl (1.1.1d-0+deb10u3) buster-security; urgency=medium
* CVE-2020-1967 (Segmentation fault in SSL_check_chain).
-- Sebastian Andrzej Siewior <email address hidden> Mon, 20 Apr 2020 22:23:01 +0200
-
openssl (1.1.1d-0+deb10u2) buster-security; urgency=medium
* Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).
-- Sebastian Andrzej Siewior <email address hidden> Sat, 12 Oct 2019 21:56:43 +0200
-
openssl (1.1.1c-1) unstable; urgency=medium
* New upstream version
- CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305)
* Update symbol list
-- Sebastian Andrzej Siewior <email address hidden> Thu, 30 May 2019 17:27:48 +0200
-
openssl (1.1.1b-2) unstable; urgency=medium
* Fix BUF_MEM regression (Closes: #923516)
* Fix error when config can't be opened (Closes: #926315)
* Ship an openssl.cnf in libssl1.1-udeb.dirs
-- Kurt Roeckx <email address hidden> Tue, 16 Apr 2019 21:31:11 +0200
-
openssl (1.1.1b-1) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* Add Breaks on lighttpd (Closes: #913558).
[ Kurt Roeckx ]
* New upstream version
* Update symbol list
-- Kurt Roeckx <email address hidden> Tue, 26 Feb 2019 19:52:12 +0100
-
openssl (1.1.1a-1) unstable; urgency=medium
* Add Breaks on python-boto (See: #909545)
* New upstream version
- CVE-2018-0734 (Timing vulnerability in DSA signature generation)
- CVE-2018-0735 (Timing vulnerability in ECDSA signature generation)
- Update symbol file for 1.1.1a
-- Sebastian Andrzej Siewior <email address hidden> Thu, 22 Nov 2018 19:40:54 +0100
-
openssl (1.1.1-2) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* Add Breaks on isync (See: #906955)
* Fix autopkgtest (Closes: #910459)
[ Kurt Roeckx ]
* Add Breaks on python-imaplib2 (See: #907079)
* Add news entry regarding default TLS version and security level
(Closes: #875423, #907631, #911389, #912067).
-- Sebastian Andrzej Siewior <email address hidden> Sun, 28 Oct 2018 23:52:24 +0100
-
openssl (1.1.1-1) unstable; urgency=medium
* New upstream version.
- Update symbol file for 1.1.1
- CVE-2018-0732 (actually since pre8).
* Add Breaks on python-httplib2 (Addresses: #907015)
* Add hardening=+all.
* Update to policy 4.2.1
- Less verbose testsuite with terse
- Use RRR=no
-- Sebastian Andrzej Siewior <email address hidden> Wed, 12 Sep 2018 20:39:24 +0200
-
openssl (1.1.1~~pre9-1) unstable; urgency=medium
* New upstream version.
- Support the final TLS 1.3 version (RFC 8446)
* Upload to unstable
-- Kurt Roeckx <email address hidden> Tue, 21 Aug 2018 21:00:17 +0200
-
openssl (1.1.0j-1~deb9u1) stretch-security; urgency=medium
* Import 1.1.0j
- CVE-2018-0734 (Timing vulnerability in DSA signature generation)
- CVE-2018-0735 (Timing vulnerability in ECDSA signature generation)
- add new symbols
-- Sebastian Andrzej Siewior <email address hidden> Wed, 28 Nov 2018 23:43:08 +0100
-
openssl (1.1.0h-4) unstable; urgency=medium
* Build the binary in indep mode again, so we can install the documentation
again.
* Drop @echo in flavour so it builds again on Alpha
* Add a 25-test_verify.t for autopkgtest which runs against intalled
openssl binary.
-- Sebastian Andrzej Siewior <email address hidden> Wed, 23 May 2018 14:42:14 +0200
-
openssl (1.1.0h-3) unstable; urgency=medium
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix regression with session cache use by clients (See: #895035).
* openssl rehash: exit 0 on warnings, same as c_rehash (See: #895473 and
#895482).
* Fix debian-rules-sets-dpkg-architecture-variable.
* Let VCS-* point to salsa.d.o.
* Don't build the binary package in binary-indep mode.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Fix CVE-2018-0737 (Closes: #895844).
-- Sebastian Andrzej Siewior <email address hidden> Thu, 17 May 2018 23:35:43 +0200
-
openssl (1.1.0h-2) unstable; urgency=high
* Revert "only quote stuff that actually needs quoting" so c_rehash has the
quotes again (Closes: #894282).
-- Sebastian Andrzej Siewior <email address hidden> Wed, 28 Mar 2018 14:08:48 +0200
-
openssl (1.1.0h-1) unstable; urgency=medium
* Abort the build if symbols are discovered which are not part of the
symbols file.
* Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
* Enable afalgeng on Linux targets (Closes: #888305)
* Add riscv64 target (Closes: #891797).
* New upstream release 1.1.0h
- Drop applied patches:
aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-binut.patch
- Update symbols file.
- Fix CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
- Fix CVE-2018-0733 (Incorrect CRYPTO_memcmp on HP-UX PA-RISC)
- Fix CVE-2018-0739 (Constructed ASN.1 types with a recursive definition
could exceed the stack)
* Correct lhash typo in header file (Closes: #892276).
-- Sebastian Andrzej Siewior <email address hidden> Tue, 27 Mar 2018 21:47:32 +0200
-
openssl (1.1.0g-2) unstable; urgency=high
* Avoid problems with aes assembler on armhf using binutils 2.29
-- Kurt Roeckx <email address hidden> Sat, 04 Nov 2017 12:48:13 +0100
-
openssl (1.1.0g-1) unstable; urgency=medium
* New upstream version
- Fixes CVE-2017-3735
- Fixes CVE-2017-3736
* Remove patches applied upstream
* Temporary enable TLS 1.0 and 1.1 again (#875423)
* Attempt to fix testsuite race condition
* update no-symbolic.patch to apply
-- Kurt Roeckx <email address hidden> Thu, 02 Nov 2017 15:22:48 +0100
-
openssl (1.1.0f-5) unstable; urgency=medium
* Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version().
-- Kurt Roeckx <email address hidden> Tue, 08 Aug 2017 16:13:54 +0200
-
openssl (1.1.0f-4) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* Add support for arm64ilp32, patch by Wookey (Closes: #867240)
[ Kurt Roeckx ]
* Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
version. This will likely break things, but the hope is that by
the release of Buster everything will speak at least TLS 1.2. This will be
reconsidered before the Buster release.
* Fix a race condition in the test suite (Closes: #869856)
-- Kurt Roeckx <email address hidden> Mon, 07 Aug 2017 01:08:45 +0200
-
openssl (1.1.0f-3+deb9u2) stretch-security; urgency=high
* CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
* CVE-2018-0733 (Incorrect CRYPTO_memcmp on HP-UX PA-RISC)
* CVE-2018-0739 (Constructed ASN.1 types with a recursive definition could
exceed the stack)
* Add patches to pass the testsuite:
- Fix-a-Proxy-race-condition.patch
- Fix-race-condition-in-TLSProxy.patch
-- Sebastian Andrzej Siewior <email address hidden> Thu, 29 Mar 2018 12:51:02 +0200
-
openssl (1.1.0f-3+deb9u1) stretch-security; urgency=medium
* Fix CVE-2017-3735
* Fix CVE-2017-3736
-- Kurt Roeckx <email address hidden> Thu, 02 Nov 2017 12:29:36 +0100
-
openssl (1.1.0f-3) unstable; urgency=medium
* Don't cleanup a thread-local key we didn't create it (Closes: #863707)
-- Kurt Roeckx <email address hidden> Mon, 05 Jun 2017 11:40:42 +0200
-
openssl (1.1.0f-2) unstable; urgency=medium
* Make the udeb use a versioned depends (Closes: #864080)
* Conflict with libssl1.0-dev (Closes: #863367)
-- Kurt Roeckx <email address hidden> Sun, 04 Jun 2017 12:07:38 +0200
-
openssl (1.1.0f-1) unstable; urgency=medium
* New upstream version
- Fix regression in req -x509 (Closes: #839575)
- Properly detect features on the AMD Ryzen processor (Closes: #861145)
- Don't mention -tls1_3 in the manpage (Closes: #859191)
* Update libssl1.1.symbols for new symbols
* Update man-section.patch
-- Kurt Roeckx <email address hidden> Thu, 25 May 2017 18:29:01 +0200
-
openssl (1.1.0e-2) unstable; urgency=medium
* Make openssl depend on perl-base (Closes: #860254)
-- Sebastian Andrzej Siewior <email address hidden> Mon, 01 May 2017 21:50:37 +0200
-
openssl (1.1.0e-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2017-3733
- Remove patches that are applied upstream.
-- Kurt Roeckx <email address hidden> Thu, 16 Feb 2017 18:57:58 +0100
-
openssl (1.1.0d-2) unstable; urgency=medium
* Fix building of arch and all packages in a minimal environment
(Closes: #852900).
* Fix precomputing SHA1 by adding the following patches from upstream:
- Add-a-couple-of-test-to-check-CRL-fingerprint.patch
- Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
- X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
(Closes: #852920).
-- Sebastian Andrzej Siewior <email address hidden> Mon, 30 Jan 2017 23:20:07 +0100
-
openssl (1.1.0d-1) unstable; urgency=medium
* New Upstream release
- Fixes CVE-2017-3731
- Fixes CVE-2017-3730
- Fixes CVE-2017-3732
- drop revert_ssl_read.patch and
0001-Add-missing-zdelete-for-some-linux-arches.patch, applied upstream.
* add new symbols.
-- Sebastian Andrzej Siewior <email address hidden> Thu, 26 Jan 2017 16:38:34 +0100
-
openssl (1.1.0c-4) unstable; urgency=medium
* Make build-indep build again.
* Don't depend on perl:any in openssl as it breaks debootstrap
("Closes: #852017).
-- Sebastian Andrzej Siewior <email address hidden> Fri, 20 Jan 2017 22:18:15 +0100
-
openssl (1.1.0c-3) unstable; urgency=medium
* Add myself as Uploader.
* Add support for tilegx, patch by Helmut Grohne (Closes: #848957).
* redo the rules file to some newer debhelper:
- everyfile should remain, nothing should get lost
- the scripts in the doc package gained an exec bit
- openssl gained a dep on perl (the package contains perl scripts)
- libssl1.0.2-dbg is gone, we have dbgsym now
- dh compat 10
- pkg.install instead of pkg.files is used for install
* Mark libssl-doc as MA foreign
* Update Standards-Version from 3.9.5 to 3.9.8. No changes required.
* Document the change for openssl's enc command between 1.1.0 and pre 1.1.0
in the NEWS file (Closes: #843064).
* Add an override for lintian for the non-standard private directory
-- Sebastian Andrzej Siewior <email address hidden> Thu, 19 Jan 2017 23:00:01 +0100
-
openssl (1.1.0c-2) unstable; urgency=medium
* Revert behaviour of SSL_read() and SSL_write(), and update documentation.
(Closes: #844234)
* Add missing -zdelete on x32 (Closes: #844715)
* Add a Breaks on salt-common. Addresses #844706
-- Kurt Roeckx <email address hidden> Mon, 21 Nov 2016 22:20:00 +0100
-
openssl (1.1.0c-1) unstable; urgency=medium
* New upstrem release
- Fix CVE-2016-7053
- Fix CVE-2016-7054
- Fix CVE-2016-7055
* remove no-rpath.patch, applied upstream.
* Remove old d2i test cases, use the one from the upstream tarball.
* Update libssl1.1.symbols for new sysmbols.
-- Kurt Roeckx <email address hidden> Thu, 10 Nov 2016 19:05:44 +0100
-
openssl (1.1.0b-2) unstable; urgency=low
* Upload to unstable
-- Kurt Roeckx <email address hidden> Tue, 01 Nov 2016 22:02:32 +0100
-
openssl (1.0.2j-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2016-7052
-- Kurt Roeckx <email address hidden> Mon, 26 Sep 2016 18:17:39 +0200
-
openssl (1.0.2i-1) unstable; urgency=high
* New upstream version
- Fix CVE-2016-2177
- Fix CVE-2016-2178
- Fix CVE-2016-2179
- Fix CVE-2016-2180
- Fix CVE-2016-2181
- Fix CVE-2016-2182
- Fix CVE-2016-2183
- Fix CVE-2016-6302
- Fix CVE-2016-6303
- Fix CVE-2016-6304
- Fix CVE-2016-6306
* Drop ca.patch, option is now documented upstream
* Update engines-path.patch to also update the libcrypto.pc, now that that
has an enginesdir in it.
-- Kurt Roeckx <email address hidden> Thu, 22 Sep 2016 19:39:36 +0200
-
openssl (1.0.2h-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2016-2107
- Fixes CVE-2016-2105
- Fixes CVE-2016-2106
- Fixes CVE-2016-2109
- Fixes CVE-2016-2176
-- Kurt Roeckx <email address hidden> Tue, 03 May 2016 18:31:22 +0200
-
openssl (1.0.2g-2) unstable; urgency=medium
* Use assembler of arm64 (Closes: #794326)
Patch from Riku Voipio <email address hidden>
* Add a udeb for libssl, based on similar changes done in Ubuntu
starting in version 0.9.8o-4ubuntu1 (Closes: #802591)
Patch from Margarita Manterola <email address hidden>
* Add support for nios2 (Closes: #816239)
Based on patch from Marek Vasut <email address hidden>
* Update Spanish translation from Manuel "Venturi" Porras Peralta
<email address hidden> (Closes: #773601)
* Don't build an i586 optimized version anymore, the default
already targets that. Patch from Sven Joachim <email address hidden>
(Closes: #759811)
-- Kurt Roeckx <email address hidden> Thu, 21 Apr 2016 23:43:06 +0200
-
openssl (1.0.2g-1) unstable; urgency=high
* New upstream version
* Fix CVE-2016-0797
* Fix CVE-2016-0798
* Fix CVE-2016-0799
* Fix CVE-2016-0702
* Fix CVE-2016-0705
* Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800)
makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them
too.
-- Kurt Roeckx <email address hidden> Tue, 01 Mar 2016 18:31:09 +0100
-
openssl (1.0.2f-2) unstable; urgency=high
* New upstream version.
- Fixes CVE-2016-0701
- Not affected by CVE-2015-3197 because SSLv2 is disabled.
-- Kurt Roeckx <email address hidden> Thu, 28 Jan 2016 19:32:02 +0100
-
openssl (1.0.2e-1) unstable; urgency=high
* New upstream release
- Fix CVE-2015-3193
- Fix CVE-2015-3194
- Fix CVE-2015-3195
- Fix CVE-2015-3196
* Remove all symlinks during clean
* Run make depend after configure
* Remove openssl_button.* from the doc package
-- Kurt Roeckx <email address hidden> Thu, 03 Dec 2015 19:33:05 +0100
-
openssl (1.0.2d-3) unstable; urgency=medium
* Upload to unstable
-- Kurt Roeckx <email address hidden> Sun, 01 Nov 2015 19:14:34 +0100
-
openssl (1.0.2d-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2015-1793
-- Kurt Roeckx <email address hidden> Thu, 09 Jul 2015 18:22:26 +0200
-
openssl (1.0.2c-1) unstable; urgency=medium
* New upstream version
- Fixes ABI (Closes: #788511)
-- Kurt Roeckx <email address hidden> Fri, 12 Jun 2015 20:35:12 +0200
-
openssl (1.0.2b-1) unstable; urgency=high
* New upstream version
- Fix CVE-2015-4000
- Fix CVE-2015-1788
- Fix CVE-2015-1789
- Fix CVE-2015-1790
- Fix CVE-2015-1792
- Fix CVE-2015-1791
* Update c_rehash-compat.patch to make it apply to the new version.
* Remove openssl-pod-misspell.patch applied upstream
-- Kurt Roeckx <email address hidden> Thu, 11 Jun 2015 18:20:38 +0200
-
openssl (1.0.2a-1) unstable; urgency=medium
* New upstrema version
- Fix CVE-2015-0286
- Fix CVE-2015-0287
- Fix CVE-2015-0289
- Fix CVE-2015-0293 (not affected, SSLv2 disabled)
- Fix CVE-2015-0209
- Fix CVE-2015-0288
- Fix CVE-2015-0291
- Fix CVE-2015-0290
- Fix CVE-2015-0207
- Fix CVE-2015-0208
- Fix CVE-2015-1787
- Fix CVE-2015-0285
* Temporary enable SSLv3 methods again, but they will go away.
* Don't set TERMIO anymore, use the default TERMIOS instead.
-- Kurt Roeckx <email address hidden> Thu, 30 Apr 2015 23:37:27 +0200
-
openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
[ Kurt Roeckx ]
* Fix length check for CRLs. (Closes: #826552)
[ Sebastian Andrzej Siewior ]
* Enable asm optimisation for s390x. Patch by Dimitri John Ledkov.
(Closes: #833156).
-- Kurt Roeckx <email address hidden> Sat, 11 Jun 2016 19:18:11 +0200
-
openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
* add Update-S-MIME-certificates.patch to update expired certificates to
pass the test suite
-- Sebastian Andrzej Siewior <email address hidden> Wed, 11 May 2016 23:22:52 +0200
-
openssl (1.0.1k-3+deb8u4) jessie-security; urgency=medium
* Fix CVE-2016-0797
* Fix CVE-2016-0798
* Fix CVE-2016-0799
* Fix CVE-2016-0702
* Fix CVE-2016-0705
* Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800)
makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them
too.
-- Kurt Roeckx <email address hidden> Sun, 28 Feb 2016 15:29:46 +0100
-
openssl (1.0.1k-3+deb8u2) jessie-security; urgency=medium
* Fix CVE-2015-3194
* Fix CVE-2015-3195
* Fix CVE-2015-3196
-- Kurt Roeckx <email address hidden> Thu, 03 Dec 2015 18:39:46 +0100
-
openssl (1.0.1k-3+deb8u1) jessie-security; urgency=medium
* Fix CVE-2015-1791
* Fix CVE-2015-1792
* Fix CVE-2015-1789
* Fix CVE-2015-1790
* Fix CVE-2015-1788
* CVE-2015-4000: Have minimum of 768 bit for DH
-- Kurt Roeckx <email address hidden> Thu, 11 Jun 2015 20:55:20 +0200
-
openssl (1.0.1k-3) unstable; urgency=medium
* Drop patch 0003-Free-up-passed-ASN.1-structure-if-reused.patch, it at
least breaks voms, possibly others. (Closes: #781081)
-- Kurt Roeckx <email address hidden> Tue, 24 Mar 2015 21:34:00 +0100
-
openssl (1.0.1k-2) unstable; urgency=high
* Fix CVE-2015-0286
* Fix CVE-2015-0287
* Fix CVE-2015-0289
* Fix CVE-2015-0293 (not affected, SSLv2 disabled)
* Fix CVE-2015-0209
* Fix CVE-2015-0288
* Remove export ciphers from DEFAULT.
* Make DTLS always act as if read_ahead is set. This fixes a regression
introduce by the fix for CVE-2014-3571. (Closes: #775502)
-- Kurt Roeckx <email address hidden> Fri, 20 Mar 2015 18:24:15 +0100
-
openssl (1.0.1k-1) unstable; urgency=medium
* New upstream version
- Fixes CVE-2014-3571
- Fixes CVE-2015-0206
- Fixes CVE-2014-3569
- Fixes CVE-2014-3572
- Fixes CVE-2015-0204
- Fixes CVE-2015-0205
- Fixes CVE-2014-8275
- Fixes CVE-2014-3570
* Drop gnu_source.patch, dgst_hmac.patch: applied upstream
-- Kurt Roeckx <email address hidden> Thu, 08 Jan 2015 20:55:26 +0100
-
openssl (1.0.1j-1) unstable; urgency=high
* New upstream release
- Fixes CVE-2014-3513
- Fixes CVE-2014-3567
- Add Fallback SCSV support to mitigate CVE-2014-3566
- Fixes CVE-2014-3568
* Disables SSLv3 because of CVE-2014-3566
* Update dgst_hmac.patch to apply to new upstream version
* Drop rehash_pod.patch, applied upstream
* Fix openssl_fix_for_x32.patch to apply to new upstream version
-- Kurt Roeckx <email address hidden> Wed, 15 Oct 2014 19:06:38 +0200
-
openssl (1.0.1i-2) unstable; urgency=medium
* Fix assembler for ppc64le (Closes: #745657)
-- Kurt Roeckx <email address hidden> Mon, 11 Aug 2014 21:37:47 +0200
-
openssl (1.0.1i-1) unstable; urgency=high
* New upstream release
- Fix for CVE-2014-3512
- Fix for CVE-2014-3511
- Fix for CVE-2014-3510
- Fix for CVE-2014-3507
- Fix for CVE-2014-3506
- Fix for CVE-2014-3505
- Fix for CVE-2014-3509
- Fix for CVE-2014-5139
- Fix for CVE-2014-3508
- Drop upstream git snapshot patch.
* Add support for ppc64le (Closes: #745657)
* Add support for OpenRISC (Closes: #736772)
-- Kurt Roeckx <email address hidden> Thu, 07 Aug 2014 00:02:41 +0200
-
openssl (1.0.1h-3) unstable; urgency=medium
* New upstream git snapshot
- Allows CCS after finished message, needed for some renegiotation cases.
(Closes: #751093)
-- Kurt Roeckx <email address hidden> Sat, 14 Jun 2014 22:23:21 +0200
-
openssl (1.0.1h-2) unstable; urgency=medium
* Use upstream git snapshot:
- Fix resumption problem when using tls_session_secret_cb
- Create ~/.rnd with mode 0600 (Closes: #750103)
- Fix building on heartbeat test, drop patch to disable it.
-- Kurt Roeckx <email address hidden> Mon, 09 Jun 2014 11:21:51 +0200
-
openssl (1.0.1h-1) unstable; urgency=high
* New upstream release
- Fix CVE-2014-0224
- Fix CVE-2014-0221
- Fix CVE-2014-0195
- Fix CVE-2014-3470
- Drop patch git_snapshot.patch
* Disable the heartbeat test since it fails to build.
-- Kurt Roeckx <email address hidden> Thu, 05 Jun 2014 18:42:05 +0200
-
openssl (1.0.1g-4) unstable; urgency=medium
* Update to git snapshot
- Fixes CVE-2014-0198 (Closes: #747432)
- Drop the following patches that got applied upstream:
fix-pod-errors.patch, CVE-2010-5298.patch,
CVE-2014-XXXX-Extension-checking-fixes.patch
* Actually restart the services when restart-without-asking is set.
(Closes: #745801)
-- Kurt Roeckx <email address hidden> Mon, 12 May 2014 22:22:16 +0200
-
openssl (1.0.1g-3) unstable; urgency=medium
* Fix CVE-2010-5298: use-after-free race condition.
* Propose restarting prosody on upgrade (Closes: #744871).
* Add more services to be checked for restart.
* Fix a bug where the critical flag for TSA extended key usage is not
always detected, and two other similar cases.
* Add support for 'libraries/restart-without-asking', which allows
services to be restarted automatically without prompting, or
requiring a response instead.
-- Kurt Roeckx <email address hidden> Sat, 19 Apr 2014 18:38:32 +0200
-
openssl (1.0.1g-2) unstable; urgency=emergency
* Enable checking for services that may need to be restarted (Closes: #743889)
* Update list of services to possibly restart
-- Kurt Roeckx <email address hidden> Tue, 08 Apr 2014 19:13:08 +0200
-
openssl (1.0.1g-1) unstable; urgency=high
* New upstream release
- Fixes CVE-2014-0160
- Fixes CVE-2014-0076
- Drop patches applied upstream
-- Kurt Roeckx <email address hidden> Mon, 07 Apr 2014 23:17:42 +0200
-
openssl (1.0.1f-1) unstable; urgency=high
* New upstream version
- Fix for TLS record tampering bug CVE-2013-4353
- Drop the snapshot patch
* update watch file to check for upstream signature and add upstream pgp key.
* Drop conflicts against openssh since we now on a released version again.
-- Kurt Roeckx <email address hidden> Mon, 06 Jan 2014 18:50:54 +0100
-
openssl (1.0.1e-6) unstable; urgency=medium
* Add Breaks: openssh-client (<< 1:6.4p1-1.1), openssh-server (<<
1:6.4p1-1.1). This is to prevent people running into #732940.
This Breaks can be removed again when we stop using a git snapshot.
-- Kurt Roeckx <email address hidden> Mon, 23 Dec 2013 15:19:17 +0100
-
openssl (1.0.1e-5) unstable; urgency=low
* Change default digest to SHA256 instead of SHA1. (Closes: #694738)
* Drop support for multiple certificates in 1 file. It never worked
properly in the first place, and the only one shipping in
ca-certificates has been split.
* Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
* Remove make-targets.patch. It prevented the test dir from being cleaned.
* Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
- Fixes CVE-2013-6449 (Closes: #732754)
- Fixes CVE-2013-6450
- Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
dtls_version.patch get_certificate.patch, since they where all
already commited upstream.
- adjust fix-pod-errors.patch for the reordering of items in the
documentation they've done trying to fix those pod errors.
- disable rdrand engine by default (Closes: #732710)
* disable zlib support. Fixes CVE-2012-4929 (Closes: #728055)
* Add arm64 support (Closes: #732348)
* Properly use the default number of bits in req when none are given
-- Kurt Roeckx <email address hidden> Sun, 22 Dec 2013 19:25:35 +0100
-
openssl (1.0.1e-4) unstable; urgency=low
[ Peter Michael Green ]
* Fix pod errors (Closes: #723954)
* Fix clean target
[ Kurt Roeckx ]
* Add mipsn32 and mips64 targets. Patch from Eleanor Chen
<email address hidden> (Closes: #720654)
* Add support for nocheck in DEB_BUILD_OPTIONS
* Update Norwegian translation (Closes: #653574)
* Update description of the packages. Patch by Justin B Rye
(Closes: #719262)
* change to debhelper compat level 9:
- change dh_strip call so only the files from libssl1.0.0 get debug
symbols.
- change dh_makeshlibs call so the engines don't get added to the
shlibs
* Update Standards-Version from 3.8.0 to 3.9.5. No changes required.
-- Kurt Roeckx <email address hidden> Fri, 01 Nov 2013 17:11:53 +0100
-
openssl (1.0.1e-3) unstable; urgency=low
* Move <openssl/opensslconf.h> to /usr/include/$(DEB_HOST_MULTIARCH), and
mark libssl-dev Multi-Arch: same.
Patch by Colin Watson <email address hidden> (Closes: #689093)
* Add Polish translation (Closes: #658162)
* Add Turkish translation (Closes: #660971)
* Enable assembler for the arm targets, and remove armeb.
Patch by Riku Voipio <email address hidden> (Closes: #676533)
* Add support for x32 (Closes: #698406)
* enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
-- Kurt Roeckx <email address hidden> Mon, 20 May 2013 16:56:06 +0200
-
openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
* Fixes CVE-2014-3513
* Fixes CVE-2014-3567
* Add Fallback SCSV support to mitigate CVE-2014-3566
* Fixes CVE-2014-3568
-- Kurt Roeckx <email address hidden> Wed, 15 Oct 2014 19:45:25 +0200
-
openssl (1.0.1e-2+deb7u12) wheezy-security; urgency=medium
* Fix for CVE-2014-3512
* Fix for CVE-2014-3511
* Fix for CVE-2014-3510
* Fix for CVE-2014-3507
* Fix for CVE-2014-3506
* Fix for CVE-2014-3505
* Fix for CVE-2014-3509
* Fix for CVE-2014-5139
* Fix for CVE-2014-3508
-- Kurt Roeckx <email address hidden> Wed, 06 Aug 2014 20:01:34 +0200
-
openssl (1.0.1e-2+deb7u11) wheezy-security; urgency=medium
* Update fix for CVE-2014-0224 to work with more renegiotation and
resumption cases. (Closes: #751093)
* Fix CVE-2012-4929 (CRiME) by disabling zlib compression by default.
It can be enabled again by setting the environment variable
OPENSSL_NO_DEFAULT_ZLIB. (Closes: #728055)
* Update ECDHE-ECDSA_Safari.patch to define SSL_OP_MSIE_SSLV2_RSA_PADDING
again but to 0 so things keep building. (Closes: #751457)
-- Kurt Roeckx <email address hidden> Sun, 15 Jun 2014 12:31:21 +0200
-
openssl (1.0.1e-2+deb7u7) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix CVE-2010-5298: use-after-free race condition.
* Add a versioned dependency from openssl to libssl1.0.0 to a version
that has the fix for CVE-2014-0160 (Closes: #744194).
* Propose restarting prosody on upgrade (Closes: #744871).
* Correctly detect apache2 installations and propose it to be
restarted (Closes: #744141).
* Add more services to be checked for restart.
* Fix a bug where the critical flag for TSA extended key usage is not
always detected, and two other similar cases.
* Add support for 'libraries/restart-without-asking', which allows
services to be restarted automatically without prompting, or
requiring a response instead.
* Fix CVE-2014-0076: "Yarom/Benger FLUSH+RELOAD Cache Side-channel Attack"
(Closes: #742923).
-- Raphael Geissert <email address hidden> Thu, 17 Apr 2014 22:11:33 +0200
-
openssl (1.0.1e-2+deb7u4) stable; urgency=medium
* enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
* Enable assembler for the arm targets, and remove armeb.
Patch by Riku Voipio <email address hidden> (Closes: #676533)
-- Kurt Roeckx <email address hidden> Sat, 01 Feb 2014 21:25:20 +0100
-
openssl (1.0.1e-2) unstable; urgency=high
* Bump shlibs. It's needed for the udeb.
* Make cpuid work on cpu's that don't set ecx (Closes: #699692)
* Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
* Fix problem with DTLS version check (Closes: #701826)
* Fix segfault in SSL_get_certificate (Closes: #703031)
-- Kurt Roeckx <email address hidden> Mon, 18 Mar 2013 20:37:11 +0100
-
openssl (1.0.1e-1) unstable; urgency=high
* New upstream version (Closes: #699889)
- Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
- Drop renegiotate_tls.patch, applied upstream
- Export new CRYPTO_memcmp symbol, update symbol file
* Add ssltest_no_sslv2.patch so that "make test" works.
-- Kurt Roeckx <email address hidden> Mon, 11 Feb 2013 19:39:44 +0100
-
openssl (1.0.1c-4) unstable; urgency=low
* Fix the configure rules for alpha (Closes: #672710)
* Switch the postinst to sh again, there never was a reason to
switch it to bash (Closes: #676398)
* Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
preprocessed. We generate the file again for pic anyway.
(Closes: #677468)
* Drop Breaks against openssh as it was only for upgrades
between versions that were only in testing/unstable.
(Closes: #668600)
-- Kurt Roeckx <email address hidden> Tue, 17 Jul 2012 11:49:19 +0200
-
openssl (1.0.1c-3) unstable; urgency=low
* Disable padlock engine again, causes problems for hosts not supporting it.
-- Kurt Roeckx <email address hidden> Wed, 06 Jun 2012 18:29:37 +0200
-
openssl (1.0.1c-2) unstable; urgency=high
* Fix renegiotation when using TLS > 1.0. This breaks tor. Patch from
upstream. (Closes: #675990)
* Enable the padlock engine by default.
* Change default bits from 1024 to 2048 (Closes: #487152)
-- Kurt Roeckx <email address hidden> Wed, 06 Jun 2012 00:55:42 +0200
-
openssl (1.0.1c-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-2333 (Closes: #672452)
-- Kurt Roeckx <email address hidden> Fri, 11 May 2012 18:44:51 +0200
-
openssl (1.0.1b-1) unstable; urgency=high
* New upstream version
- Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
can talk to servers supporting TLS 1.1 but not TLS 1.2
- Drop rc4_hmac_md5.patch, applied upstream
-- Kurt Roeckx <email address hidden> Thu, 26 Apr 2012 23:34:34 +0200
-
openssl (1.0.1a-3) unstable; urgency=low
* Use patch from upstream for the rc4_hmac_md5 issue.
-- Kurt Roeckx <email address hidden> Thu, 19 Apr 2012 23:16:30 +0200
-
openssl (1.0.1a-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-2110
- Fix crash in rc4_hmac_md5 (Closes: #666405)
- Fixes some issues with talking to other servers when TLS 1.1 and 1.2 is
supported
- Drop patches no_ssl2.patch vpaes.patch tls1.2_client_algorithms.patch,
applied upstream.
-- Kurt Roeckx <email address hidden> Thu, 19 Apr 2012 19:54:12 +0200
-
openssl (1.0.1-4) unstable; urgency=low
* Use official patch for the vpaes problem, also covering amd64.
-- Kurt Roeckx <email address hidden> Sat, 31 Mar 2012 20:54:13 +0200
-
openssl (1.0.1-3) unstable; urgency=high
* Fix crash in vpaes (Closes: #665836)
* use client version when deciding whether to send supported signature
algorithms extension
-- Kurt Roeckx <email address hidden> Sat, 31 Mar 2012 18:35:59 +0200
-
openssl (1.0.1-2) unstable; urgency=low
* Properly quote the new cflags in Configure
-- Kurt Roeckx <email address hidden> Mon, 19 Mar 2012 19:56:05 +0100
-
openssl (1.0.1-1) unstable; urgency=low
* New upstream version
- Remove kfreebsd-pipe.patch, fixed upstream
- Update pic.patch, openssl-pod-misspell.patch and make-targets.patch
- Add OPENSSL_1.0.1 to version-script.patch and libssl1.0.0.symbols for
the new functions.
- AES-NI support (Closes: #644743)
* pic.patch: upstream made OPENSSL_ia32cap_P and OPENSSL_cpuid_setup
hidden on amd64, no need to access it PIC anymore.
* pic.patch: Make OPENSSL_ia32cap_P hidden on i386 too (Closes: #663977)
* Enable hardening using dpkg-buildflags (Closes: #653495)
* s_client and s_server were forcing SSLv3 only connection when SSLv2 was
disabled instead of the SSLv2 with upgrade method. (Closes: #664454)
* Add Beaks on openssh < 1:5.9p1-4, it has a too strict version check.
-- Kurt Roeckx <email address hidden> Mon, 19 Mar 2012 18:23:32 +0100
-
openssl (1.0.0h-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-0884
- Properly fix CVE-2011-4619
- pkg-config.patch applied upstream, remove it.
* Enable assembler for all i386 arches. The assembler does proper
detection of CPU support, including cpuid support.
This should fix a problem with AES 192 and 256 with the padlock
engine because of the difference in NO_ASM between the between
the i686 optimized library and the engine.
-- Kurt Roeckx <email address hidden> Tue, 13 Mar 2012 21:08:17 +0100
-
openssl (1.0.0g-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-0050
-- Kurt Roeckx <email address hidden> Wed, 18 Jan 2012 20:46:13 +0100
-
openssl (1.0.0f-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2011-4108, CVE-2011-4576, CVE-2011-4619, CVE-2012-0027,
CVE-2011-4577
-- Kurt Roeckx <email address hidden> Thu, 12 Jan 2012 19:02:43 +0100
-
openssl (1.0.0e-3) unstable; urgency=low
* Don't build v8 and v9 variants of sparc anymore, they're older than
the default. (Closes: #649841)
* Don't build i486 optimized version, that's the default anyway, and
it uses assembler that doesn't always work on i486.
-- Kurt Roeckx <email address hidden> Mon, 28 Nov 2011 22:17:26 +0100
-
openssl (1.0.0e-2.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
as revoked.
-- Raphael Geissert <email address hidden> Sun, 06 Nov 2011 01:39:30 -0600
-
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_MULTIARCH)
-- Kurt Roeckx <email address hidden> Sat, 10 Sep 2011 17:02:29 +0200
-
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <email address hidden>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <email address hidden>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <email address hidden>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <email address hidden>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
-- Kurt Roeckx <email address hidden> Sat, 10 Sep 2011 12:03:13 +0200
-
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060) * Apply patches from Scott Schaefer <email address hidden> to fix various pod and spelling errors. (Closes: #622820, #605561) * Add missing symbols for the engines (Closes: #623038) * More spelling fixes from Scott Schaefer (Closes: #395424) * Patch from Scott Schaefer to better document pkcs12 password options (Closes: #462489) * Document dgst -hmac option. Patch by Thorsten Glaser <email address hidden> (Closes: #529586) -- Kurt Roeckx <email address hidden> Mon, 13 Jun 2011 12:39:54 +0200
-
openssl (1.0.0d-2) unstable; urgency=high
* Make c_rehash also generate the old subject hash. Gnutls applications seem to require it. (Closes: #611102) -- Kurt Roeckx <email address hidden> Wed, 13 Apr 2011 22:36:49 +0200
-
openssl (1.0.0d-1) unstable; urgency=low
* New upstream version - Fixes CVE-2011-0014 * Make libssl-doc Replaces/Breaks with old libssl-dev packages (Closes: #607609) * Only export the symbols we should, instead of all. * Add symbol file. * Upload to unstable -- Kurt Roeckx <email address hidden> Sat, 02 Apr 2011 13:19:19 +0000
-
openssl (0.9.8o-5) unstable; urgency=low
* Fix OCSP stapling parse error (CVE-2011-0014) -- Kurt Roeckx <email address hidden> Thu, 10 Feb 2011 20:43:43 +0100
-
openssl (0.9.8o-4) unstable; urgency=low
* Fix CVE-2010-4180 (Closes: #529221) -- Kurt Roeckx <email address hidden> Mon, 06 Dec 2010 20:33:21 +0100
-
openssl (0.9.8o-3) unstable; urgency=high
* Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
* Re-add the engines. They were missing since 0.9.8m-1.
Patch by Joerg Schneider. (Closes: #603693)
* Not all architectures were build using -g (Closes: #570702)
* Add powerpcspe support (Closes: #579805)
* Add armhf support (Closes: #596881)
* Update translations:
- Brazilian Portuguese (Closes: #592154)
- Danish (Closes: #599459)
- Vietnamese (Closes: #601536)
- Arabic (Closes: #596166)
* Generate the proper stamp file so that everything doesn't get build twice.
-- Kurt Roeckx <email address hidden> Tue, 16 Nov 2010 19:20:55 +0100
-
openssl (0.9.8o-2) unstable; urgency=high
* Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)
-- Kurt Roeckx <email address hidden> Thu, 26 Aug 2010 18:25:29 +0200
-
openssl (0.9.8o-1) unstable; urgency=low
* New upstream version
- Add SHA2 algorithms to SSL_library_init().
- aes-x86_64.pl is now PIC, update pic.patch.
* Add sparc64 support (Closes: #560240)
-- Kurt Roeckx <email address hidden> Sun, 18 Apr 2010 01:42:44 +0200
-
openssl (0.9.8n-1) unstable; urgency=high
* New upstream version.
- Fixes CVE-2010-0740.
- Drop cfb.patch, applied upstream.
-- Kurt Roeckx <email address hidden> Thu, 25 Mar 2010 20:30:52 +0100
-
openssl (0.9.8m-2) unstable; urgency=low
* Revert CFB block length change preventing reading older files.
(Closes: #571810, #571940)
-- Kurt Roeckx <email address hidden> Sun, 28 Feb 2010 22:08:49 +0100
-
openssl (0.9.8m-1) unstable; urgency=low
* New upstream version
- Implements RFC5746, reenables renegotiation but requires the extension.
- Fixes CVE-2009-3245
- Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
no_check_self_signed.patch: applied upstream
- pk7_mime_free.patch removed, code rewritten
- ca.diff partially applied upstream
- engines-path.patch adjusted, upstream made some minor changes to the
build system.
- some flags changed values, bump shlibs.
* Switch to 3.0 (quilt) source package.
* Make sure the package is properly cleaned.
* Add ${misc:Depends} to the Depends on all packages.
* Fix spelling of extension in the changelog file.
-- Kurt Roeckx <email address hidden> Sat, 27 Feb 2010 12:24:03 +0000
-
openssl (0.9.8k-8) unstable; urgency=high
* Clean up zlib state so that it will be reinitialized on next use and
not cause a memory leak. (CVE-2009-4355)
-- Kurt Roeckx <email address hidden> Wed, 13 Jan 2010 21:26:49 +0100
-
openssl (0.9.8k-7) unstable; urgency=low
* Bump the shlibs to require 0.9.8k-1. The following symbols
to added between g and k: AES_wrap_key, AES_unwrap_key,
ASN1_TYPE_set1, ASN1_STRING_set0, asn1_output_data_fn,
SMIME_read_ASN1, BN_X931_generate_Xpq, BN_X931_derive_prime_ex,
BN_X931_generate_prime_ex, COMP_zlib_cleanup, CRYPTO_malloc_debug_init,
int_CRYPTO_set_do_dynlock_callback, CRYPTO_set_mem_info_functions,
CRYPTO_strdup, CRYPTO_dbg_push_info, CRYPTO_dbg_pop_info,
CRYPTO_dbg_remove_all_info, OPENSSL_isservice, OPENSSL_init,
ENGINE_set_load_ssl_client_cert_function,
ENGINE_get_ssl_client_cert_function, ENGINE_load_ssl_client_cert,
EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags,
EVP_CIPHER_CTX_test_flags, HMAC_CTX_set_flags, OCSP_sendreq_new
OCSP_sendreq_nbio, OCSP_REQ_CTX_free, RSA_X931_derive_ex,
RSA_X931_generate_key_ex, X509_ALGOR_set0, X509_ALGOR_get0,
X509at_get0_data_by_OBJ, X509_get1_ocsp
-- Kurt Roeckx <email address hidden> Sat, 28 Nov 2009 14:34:26 +0100
-
openssl (0.9.8k-6) unstable; urgency=low
* Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
-- Kurt Roeckx <email address hidden> Thu, 12 Nov 2009 18:10:31 +0000
-
openssl (0.9.8k-5) unstable; urgency=low
* Don't check self signed certificate signatures in X509_verify_cert()
(Closes: #541735)
-- Kurt Roeckx <email address hidden> Fri, 11 Sep 2009 15:42:32 +0200
-
openssl (0.9.8k-4) unstable; urgency=low
* Split all the patches into a separate files
* Stop undefinging HZ, the issue on alpha should be fixed.
* Remove MD2 from digest algorithm table. (CVE-2009-2409) (Closes: #539899)
-- Kurt Roeckx <email address hidden> Tue, 11 Aug 2009 21:19:18 +0200
-
openssl (0.9.8k-3) unstable; urgency=low
* Make rc4-x86_64 PIC. Based on patch from Petr Salinger (Closes: #532336)
* Add workaround for kfreebsd that can't see the different between
two pipes. Patch from Petr Salinger.
-- Kurt Roeckx <email address hidden> Sat, 13 Jun 2009 18:15:46 +0200
-
openssl (0.9.8g-16) unstable; urgency=high
* Properly validate the length of an encoded BMPString and UniversalString
(CVE-2009-0590) (Closes: #522002)
-- Kurt Roeckx <email address hidden> Wed, 01 Apr 2009 22:04:53 +0200
-
openssl (0.9.8g-15) unstable; urgency=low
* Internal calls to didn't properly check for errors which
resulted in malformed DSA and ECDSA signatures being treated as
a good signature rather than as an error. (CVE-2008-5077)
* ipv6_from_asc() could write 1 byte longer than the buffer in case
the ipv6 address didn't have "::" part. (Closes: #506111)
-- Kurt Roeckx <email address hidden> Mon, 05 Jan 2009 21:14:31 +0100
-
openssl (0.9.8g-14) unstable; urgency=low
* Don't give the warning about security updates when upgrading
from etch since it doesn't have any known security problems.
* Automaticly use engines that succesfully initialised. Patch
from the 0.9.8h upstream version. (Closes: #502177)
-- Kurt Roeckx <email address hidden> Fri, 31 Oct 2008 22:45:14 +0100
-
openssl (0.9.8g-13) unstable; urgency=low
* Fix a problem with tlsext preventing firefox 3 from connection.
Patch from upstream CVS and part of 0.9.8h.
(Closes: #492758)
-- Kurt Roeckx <email address hidden> Sun, 03 Aug 2008 19:47:10 +0200
