Ubuntu

lp:~nvalcarcel/ubuntu/lucid/openssl/openssl-merge

Created by Nicolas Valcarcel on 2009-12-07 and last modified on 2009-12-07
Get this branch:
bzr branch lp:~nvalcarcel/ubuntu/lucid/openssl/openssl-merge
Only Nicolas Valcarcel can upload to this branch. If you are Nicolas Valcarcel please log in for upload directions.

Related bugs

Related blueprints

Branch information

Owner:
Nicolas Valcarcel
Status:
Development

Recent revisions

39. By Nicolas Valcarcel on 2009-12-07

Move runtime libraries to /lib, for the benefit of wpasupplicant

38. By Nicolas Valcarcel on 2009-12-07

add disable-sslv2.patch and Bsymbolic-functions.patch

37. By Nicolas Valcarcel on 2009-12-07

Fix version

36. By Nicolas Valcarcel on 2009-12-07

* Disable CVE-2009-3555.patch
* Bump the shlibs to require 0.9.8k-1. The following symbols
  to added between g and k: AES_wrap_key, AES_unwrap_key,
  ASN1_TYPE_set1, ASN1_STRING_set0, asn1_output_data_fn,
  SMIME_read_ASN1, BN_X931_generate_Xpq, BN_X931_derive_prime_ex,
  BN_X931_generate_prime_ex, COMP_zlib_cleanup, CRYPTO_malloc_debug_init,
  int_CRYPTO_set_do_dynlock_callback, CRYPTO_set_mem_info_functions,
  CRYPTO_strdup, CRYPTO_dbg_push_info, CRYPTO_dbg_pop_info,
  CRYPTO_dbg_remove_all_info, OPENSSL_isservice, OPENSSL_init,
  ENGINE_set_load_ssl_client_cert_function,
  ENGINE_get_ssl_client_cert_function, ENGINE_load_ssl_client_cert,
  EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags,
  EVP_CIPHER_CTX_test_flags, HMAC_CTX_set_flags, OCSP_sendreq_new
  OCSP_sendreq_nbio, OCSP_REQ_CTX_free, RSA_X931_derive_ex,
  RSA_X931_generate_key_ex, X509_ALGOR_set0, X509_ALGOR_get0,
  X509at_get0_data_by_OBJ, X509_get1_ocsp

35. By Nicolas Valcarcel on 2009-12-07

Merge from debian unstable, remaining changes (LP: #493392):

34. By Nicolas Valcarcel on 2009-12-07

* Merge from debian unstable, remaining changes:
  - Link using -Bsymbolic-functions
  - Add support for lpia
  - Disable SSLv2 during compile
  - Ship documentation in openssl-doc, suggested by the package.
  - Use a different priority for libssl0.9.8/restart-services
    depending on whether a desktop, or server dist-upgrade is being
    performed.
  - Display a system restart required notification bubble on libssl0.9.8
    upgrade.
  - Replace duplicate files in the doc directory with symlinks.
* Strip the patches out of the source into quilt patches
* Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
* Don't check self signed certificate signatures in X509_verify_cert()
  (Closes: #541735)
* Split all the patches into a separate files
* Stop undefinging HZ, the issue on alpha should be fixed.
* Remove MD2 from digest algorithm table. (CVE-2009-2409) (Closes: #539899)
* Make rc4-x86_64 PIC. Based on patch from Petr Salinger (Closes: #532336)
* Add workaround for kfreebsd that can't see the different between
  two pipes. Patch from Petr Salinger.
* Move libssl0.9.8-dbg to the debug section.
* Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
* Split the line to generate md5-x86_64.s in the Makefile. This will
  hopefully fix the build issue on kfreebsd that now outputs the file
  to stdout instead of the file.
* Fix denial of service via an out-of-sequence DTLS handshake message
  (CVE-2009-1387) (Closes: #532037)
* New upstream release
  - 0.9.8i fixed denial of service via a DTLS ChangeCipherSpec packet
    that occurs before ClientHello (CVE-2009-1386)
* Make aes-x86_64.pl use PIC.
* Fix security issues (Closes: #530400)
  - "DTLS record buffer limitation bug." (CVE-2009-1377)
  - "DTLS fragment handling" (CVE-2009-1378)
  - "DTLS use after free" (CVE-2009-1379)
* Fixed Configure for hurd: use -mtune=i486 instead of -m486
  Patch by Marc Dequènes (Duck) <email address hidden> (Closes: #530459)
* Add support for avr32 (Closes: #528648)

33. By Marc Deslauriers on 2009-09-08

* SECURITY UPDATE: certificate spoofing via hash collisions from MD2
  design flaws.
  - crypto/evp/c_alld.c, ssl/ssl_algs.c: disable MD2 digest.
  - crypto/x509/x509_vfy.c: skip signature check for self signed
    certificates
  - http://marc.info/?l=openssl-cvs&m=124508133203041&w=2
  - http://marc.info/?l=openssl-cvs&m=124704528713852&w=2
  - CVE-2009-2409

32. By Jamie Strandboge on 2009-07-10

* Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by
  Marc Deslauriers)
* SECURITY UPDATE: denial of service via memory consumption from large
  number of future epoch DTLS records.
  - crypto/pqueue.*: add new pqueue_size counter function.
  - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100.
  - http://cvs.openssl.org/chngview?cn=18187
  - CVE-2009-1377
* SECURITY UPDATE: denial of service via memory consumption from
  duplicate or invalid sequence numbers in DTLS records.
  - ssl/d1_both.c: discard message if it's a duplicate or too far in the
    future.
  - http://marc.info/?l=openssl-dev&m=124263491424212&w=2
  - CVE-2009-1378
* SECURITY UPDATE: denial of service or other impact via use-after-free
  in dtls1_retrieve_buffered_fragment.
  - ssl/d1_both.c: use temp frag_len instead of freed frag.
  - http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
  - CVE-2009-1379
* SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet
  that occurs before ClientHello.
  - ssl/s3_pkt.c: abort if s->session is NULL.
  - ssl/{ssl.h,ssl_err.c}: add new error codes.
  - http://cvs.openssl.org/chngview?cn=17369
  - CVE-2009-1386
* SECURITY UPDATE: denial of service via an out-of-sequence DTLS
  handshake message.
  - ssl/d1_both.c: don't buffer fragments with no data.
  - http://cvs.openssl.org/chngview?cn=17958
  - CVE-2009-1387

31. By Jamie Strandboge on 2009-05-14

* Merge from debian unstable, remaining changes:
  - Link using -Bsymbolic-functions
  - Add support for lpia
  - Disable SSLv2 during compile
  - Ship documentation in openssl-doc, suggested by the package.
  - Use a different priority for libssl0.9.8/restart-services
    depending on whether a desktop, or server dist-upgrade is being
    performed.
  - Display a system restart required notification bubble on libssl0.9.8
    upgrade.
  - Replace duplicate files in the doc directory with symlinks.

30. By Jamie Strandboge on 2009-03-27

* SECURITY UPDATE: crash via invalid memory access when printing BMPString
  or UniversalString with invalid length
  - crypto/asn1/tasn_dec.c, crypto/asn1/asn1_err.c and crypto/asn1/asn1.h:
    return error if invalid length
  - CVE-2009-0590
  - http://www.openssl.org/news/secadv_20090325.txt
  - patch from upstream CVS:
    crypto/asn1/asn1.h:1.128.2.11->1.128.2.12
    crypto/asn1/asn1_err.c:1.54.2.4->1.54.2.5
    crypto/asn1/tasn_dec.c:1.26.2.10->1.26.2.11

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.