-
openssl (1.0.1c-4ubuntu8.2) raring-security; urgency=low
* SECURITY UPDATE: denial of service via invalid TLS handshake
- debian/patches/CVE-2013-4353.patch: handle no new cipher setup in
ssl/s3_both.c.
- CVE-2013-4353
* SECURITY UPDATE: denial of service via incorrect data structure
- debian/patches/CVE-2013-6449.patch: check for handshake digests in
ssl/s3_both.c,ssl/s3_pkt.c,ssl/t1_enc.c, use proper version in
ssl/s3_lib.c.
- CVE-2013-6449
* SECURITY UPDATE: denial of service via DTLS retransmission
- debian/patches/CVE-2013-6450.patch: fix DTLS retransmission in
crypto/evp/digest.c,ssl/d1_both.c,ssl/s3_pkt.c,ssl/s3_srvr.c,
ssl/ssl_locl.h,ssl/t1_enc.c.
- CVE-2013-6450
* debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
default unless explicitly requested.
-- Marc Deslauriers <email address hidden> Wed, 08 Jan 2014 14:55:58 -0500
-
openssl (1.0.1c-4ubuntu8.1) raring-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
zlib to compress SSL/TLS unless the environment variable
OPENSSL_DEFAULT_ZLIB is set in the environment during library
initialization.
- Introduced to assist with programs not yet updated to provide their own
controls on compression, such as Postfix
- http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch
-- Seth Arnold <email address hidden> Mon, 03 Jun 2013 18:13:47 -0700
-
openssl (1.0.1c-4ubuntu8) raring; urgency=low
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
commit from upstream to fix regression.
- CVE-2013-0169
-- Marc Deslauriers <email address hidden> Tue, 19 Mar 2013 14:33:14 -0400
-
openssl (1.0.1c-4ubuntu7) raring; urgency=low
* Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522)
-- Dmitrijs Ledkovs <email address hidden> Thu, 07 Mar 2013 15:36:16 +0000
-
openssl (1.0.1c-4ubuntu6) raring; urgency=low
* debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock
when decoding public keys. (LP: #1066032)
-- Marc Deslauriers <email address hidden> Wed, 06 Mar 2013 08:11:19 -0500
-
openssl (1.0.1c-4ubuntu5) raring; urgency=low
* REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873,
LP: #1133333)
- debian/patches/CVE-2013-0169.patch: disabled for now until fix is
available from upstream.
-- Marc Deslauriers <email address hidden> Thu, 28 Feb 2013 11:01:29 -0500
-
openssl (1.0.1c-4ubuntu4) raring; urgency=low
* SECURITY UPDATE: denial of service via invalid OCSP key
- debian/patches/CVE-2013-0166.patch: properly handle NULL key in
crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c.
- CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: massive code changes
- CVE-2013-0169
* SECURITY UPDATE: denial of service via AES-NI and crafted CBC data
- Fix included in CVE-2013-0169 patch
- CVE-2012-2686
-- Marc Deslauriers <email address hidden> Tue, 19 Feb 2013 13:25:24 -0500
-
openssl (1.0.1c-4ubuntu3) raring; urgency=low
* Add basic arm64 support (no assembler) (LP: #1102107)
-- Wookey <email address hidden> Sun, 20 Jan 2013 17:30:15 +0000
-
openssl (1.0.1c-4ubuntu2) raring; urgency=low
* Enable arm assembly code. (LP: #1083498) (Closes: #676533)
-- Dmitrijs Ledkovs <email address hidden> Wed, 28 Nov 2012 00:08:45 +0000
-
openssl (1.0.1c-4ubuntu1) raring; urgency=low
* Resynchronise with Debian (LP: #1077228). Remaining changes:
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- debian/patches/tls12_workarounds.patch: Workaround large client hello
issues when TLS 1.1 and lower is in use
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
* Dropped changes:
- Drop openssl-doc in favour of the libssl-doc package introduced by
Debian. Add Conflicts/Replaces until the next LTS release.
+ Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS
release'
openssl (1.0.1c-4) unstable; urgency=low
* Fix the configure rules for alpha (Closes: #672710)
* Switch the postinst to sh again, there never was a reason to
switch it to bash (Closes: #676398)
* Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
preprocessed. We generate the file again for pic anyway.
(Closes: #677468)
* Drop Breaks against openssh as it was only for upgrades
between versions that were only in testing/unstable.
(Closes: #668600)
-- Tyler Hicks <email address hidden> Fri, 09 Nov 2012 14:49:13 -0800
-
openssl (1.0.1c-3ubuntu2) quantal; urgency=low
[ Tyler Hicks <email address hidden> ]
* debian/patches/tls12_workarounds.patch: Readd the change to check
TLS1_get_client_version rather than TLS1_get_version to fix incorrect
client hello cipher list truncation when TLS 1.1 and lower is in use.
(LP: #1051892)
[ Micah Gersten <email address hidden> ]
* Mark Debian Vcs-* as XS-Debian-Vcs-*
- update debian/control
-- Tyler Hicks <email address hidden> Thu, 04 Oct 2012 10:34:57 -0700
