-
openssl (1.0.0e-2ubuntu4.7) oneiric-security; urgency=low
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/CVE-2013-0166.patch: properly handle NULL key in
crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: massive code changes
- CVE-2013-0169
-- Marc Deslauriers <email address hidden> Mon, 18 Feb 2013 14:55:40 -0500
-
openssl (1.0.0e-2ubuntu4.6) oneiric-security; urgency=low
* SECURITY UPDATE: denial of service attack in DTLS implementation
- debian/patches/CVE_2012-2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* SECURITY UPDATE: million message attack (MMA) in CMS and PKCS #7
- debian/patches/CVE-2012-0884.patch: use a random key if RSA
decryption fails to avoid leaking timing information
- CVE-2012-0884
* debian/patches/CVE-2012-0884-extra.patch: detect symmetric crypto
errors in PKCS7_decrypt and initialize tkeylen properly when
encrypting CMS messages.
-- Steve Beattie <email address hidden> Tue, 22 May 2012 15:24:09 -0700
-
openssl (1.0.0e-2ubuntu4.5) oneiric-security; urgency=low
* debian/patches/CVE-2012-2110b.patch: Use correct error code in
BUF_MEM_grow_clean()
-- Jamie Strandboge <email address hidden> Tue, 24 Apr 2012 08:36:27 -0500
-
openssl (1.0.0e-2ubuntu4.4) oneiric-security; urgency=low
* SECURITY UPDATE: NULL pointer dereference in S/MIME messages with broken
headers
- debian/patches/CVE-2006-7250+2012-1165.patch: adjust mime_hdr_cmp()
and mime_param_cmp() to not dereference the compared strings if either
is NULL
- CVE-2006-7250
- CVE-2012-1165
* SECURITY UPDATE: fix various overflows
- debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
crypto/buffer.c and crypto/mem.c to verify size of lengths
- CVE-2012-2110
-- Jamie Strandboge <email address hidden> Thu, 19 Apr 2012 09:39:43 -0500
-
openssl (1.0.0e-2ubuntu4.2) oneiric-security; urgency=low
* SECURITY UPDATE: DTLS plaintext recovery attack
- debian/patches/CVE-2011-4108.patch: perform all computations
before discarding messages
- CVE-2011-4108
* SECURITY UPDATE: SSL 3.0 block padding exposure
- debian/patches/CVE-2011-4576.patch: clear bytes used for block
padding of SSL 3.0 records.
- CVE-2011-4576
* SECURITY UPDATE: malformed RFC 3779 data denial of service attack
- debian/patches/CVE-2011-4577.patch: prevent malformed RFC3779
data from triggering an assertion failure
- CVE-2011-4577
* SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
- debian/patches/CVE-2011-4619.patch: Only allow one SGC handshake
restart for SSL/TLS.
- CVE-2011-4619
* SECURITY UPDATE: GOST block cipher denial of service
- debian/patches/CVE-2012-0027.patch: check GOST parameters are
not NULL
- CVE-2012-0027
* SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
- debian/patches/CVE-2012-0050.patch: improve handling of DTLS MAC
- CVE-2012-0050
-- Steve Beattie <email address hidden> Wed, 08 Feb 2012 16:06:24 -0800
-
openssl (1.0.0e-2ubuntu4) oneiric; urgency=low
* The previous change moved the notification to major upgrades only, but
in fact, we do want the sysadmin to be notified when security updates
are installed, without having services automatically restarted.
(LP: #244250)
-- Marc Deslauriers <email address hidden> Tue, 04 Oct 2011 09:31:22 -0400
-
openssl (1.0.0e-2ubuntu3) oneiric; urgency=low
* Only issue a restart required notification on important upgrades, and
not other actions such as reconfiguration or initial installation.
(LP: #244250)
-- Anders Kaseorg <email address hidden> Tue, 04 Oct 2011 13:33:35 +0100
-
openssl (1.0.0e-2ubuntu2) oneiric; urgency=low
* Unapply patch c_rehash-multi and comment it out in the series as it breaks
parsing of certificates with CRLF line endings and other cases (see
Debian #642314 for discussion), it also changes the semantics of c_rehash
directories by requiring applications to parse hash link targets as files
containing potentially *multiple* certificates rather than exactly one.
LP: #855454.
-- Loic Minier <email address hidden> Tue, 27 Sep 2011 18:13:07 +0200
-
openssl (1.0.0e-2ubuntu1) oneiric; urgency=low
* Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and
CVE-2011-3210 (LP: #850608). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification bubble on libssl1.0.0
upgrade.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/aesni.patch: Backport Intel AES-NI support, now from
http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
0.9.8 variant.
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i486, i586 (on
i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
* debian/libssl1.0.0.postinst: only display restart notification on
servers (LP: #244250)
openssl (1.0.0e-2) unstable; urgency=low
* Add a missing $(DEB_HOST_MULTIARCH)
openssl (1.0.0e-1) unstable; urgency=low
* New upstream version
- Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
- Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <email address hidden>
* Generate hashes for all certs in a file (Closes: #628780, #594524)
Patch from Klaus Ethgen <email address hidden>
* Add multiarch support (Closs: #638137)
Patch from Steve Langasek / Ubuntu
* Symbols from the gost engine were removed because it didn't have
a linker file. Thanks to Roman I Khimov <email address hidden>
(Closes: #631503)
* Add support for s390x. Patch from Aurelien Jarno <email address hidden>
(Closes: #641100)
* Add build-arch and build-indep targets to the rules file.
openssl (1.0.0d-3) unstable; urgency=low
* Make it build on sparc64. Patch from Aurelien Jarno. (Closes: #626060)
* Apply patches from Scott Schaefer <email address hidden> to
fix various pod and spelling errors. (Closes: #622820, #605561)
* Add missing symbols for the engines (Closes: #623038)
* More spelling fixes from Scott Schaefer (Closes: #395424)
* Patch from Scott Schaefer to better document pkcs12 password options
(Closes: #462489)
* Document dgst -hmac option. Patch by Thorsten Glaser <email address hidden>
(Closes: #529586)
-- Steve Beattie <email address hidden> Wed, 14 Sep 2011 22:06:03 -0700
-
openssl (1.0.0d-2ubuntu2) oneiric; urgency=low
* Build for multiarch. LP: #826601.
-- Steve Langasek <email address hidden> Mon, 15 Aug 2011 01:58:35 -0700
-
openssl (1.0.0d-2ubuntu1) oneiric; urgency=low
* Resynchronise with Debian (LP: #675566). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification bubble on libssl1.0.0
upgrade.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/aesni.patch: Backport Intel AES-NI support, now from
http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
0.9.8 variant.
- debian/patches/Bsymbolic-functions.patch: Link using
-Bsymbolic-functions.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i486, i586 (on
i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
* Update architectures affected by Bsymbolic-functions.patch.
* Drop debian/patches/no-sslv2.patch; Debian now adds the 'no-ssl2'
configure option, which compiles out SSLv2 support entirely, so this is
no longer needed.
* Drop openssl-doc in favour of the libssl-doc package introduced by
Debian. Add Conflicts/Replaces until the next LTS release.
openssl (1.0.0d-2) unstable; urgency=high
* Make c_rehash also generate the old subject hash. Gnutls applications
seem to require it. (Closes: #611102)
openssl (1.0.0d-1) unstable; urgency=low
* New upstream version
- Fixes CVE-2011-0014
* Make libssl-doc Replaces/Breaks with old libssl-dev packages
(Closes: #607609)
* Only export the symbols we should, instead of all.
* Add symbol file.
* Upload to unstable
openssl (1.0.0c-2) experimental; urgency=low
* Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
* Always define _GNU_SOURCE, not only for Linux.
* Drop SSL2 support (Closes: #589706)
openssl (1.0.0c-1) experimental; urgency=low
* New upstream version (Closes: #578376)
- New soname: Rename library packages
- Drop patch perl-path.diff, not needed anymore
- Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch
and CVE-2010-4180.patch: applied upstream.
- Update Configure for the new fields for the assembler options
per arch. alpha now makes use of assembler.
* Move man3 manpages and demos to libssl-doc (Closes: #470594)
* Drop .pod files from openssl package (Closes: #518167)
* Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch
* Stop using BF_PTR2 on (kfreebd-)amd64.
* Drop debian-arm from the list of arches.
* Update arm arches to use BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
BF_PTR instead of BN_LLONG DES_RISC1
* ia64: Drop RC4_CHAR, add DES_UNROLL DES_INT
* powerpc: Use RC4_CHAR RC4_CHUNK DES_RISC1 instead
of DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX
* s390: Use RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL instead of BN_LLONG
-- Colin Watson <email address hidden> Sun, 01 May 2011 23:51:53 +0100
-
openssl (0.9.8o-5ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes: (LP: #718205)
- d/libssl0.9.8.postinst:
+ Display a system restart required notification bubble
on libssl0.9.8 upgrade.
+ Use a different priority for libssl0.9.8/restart-services
depending on whether a desktop, or server dist-upgrade
is being performed.
- d/{libssl0.9.8-udeb.dirs, control, rules}: Create
libssl0.9.8-udeb, for the benefit of wget-udeb (no wget-udeb
package in Debian).
- d/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files,
rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant.
- d/{control, openssl-doc.docs, openssl.docs, openssl.dirs}:
+ Ship documentation in openssl-doc, suggested by the package.
(Closes: #470594)
- d/p/aesni.patch: Backport Intel AES-NI support from
http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed)
- d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions.
- d/p/perlpath-quilt.patch: Don't change perl #! paths under .pc.
- d/p/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS.
The protocol is unsafe and extremely deprecated. (Closes: #589706)
- d/rules:
+ Disable SSLv2 during compile. (Closes: #589706)
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
(Closes: #465248)
+ Don't build for processors no longer supported: i486, i586
(on i386), v8 (on sparc).
+ Fix Makefile to properly clean up libs/ dirs in clean target.
(Closes: #611667)
+ Replace duplicate files in the doc directory with symlinks.
* This upload fixed CVE: (LP: #718208)
- CVE-2011-0014
openssl (0.9.8o-5) unstable; urgency=low
* Fix OCSP stapling parse error (CVE-2011-0014)
-- Artur Rona <email address hidden> Sun, 13 Feb 2011 16:10:24 +0100
