Ubuntu
openssl package

Merge lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155 into lp:ubuntu/precise/openssl

  1. Precise (12.04)
  2. precise-201312110155
  3. Merge into precise
Proposed by Ubuntu Package Importer
Status: Needs review
Proposed branch: lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155
Merge into: lp:ubuntu/precise/openssl
Diff against target: 71 lines (+31/-11) (has conflicts)
3 files modified
debian/changelog (+29/-9)
debian/patches/tls12_workarounds.patch (+1/-1)
ssl/s23_clnt.c (+1/-1)
Text conflict in debian/changelog
To merge this branch: bzr merge lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+198499@code.launchpad.net

Description of the change

The package importer has detected a possible inconsistency between the package history in the archive and the history in bzr. As the archive is authoritative the importer has made lp:ubuntu/precise/openssl reflect what is in the archive and the old bzr branch has been pushed to lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155. This merge proposal was created so that an Ubuntu developer can review the situations and perform a merge/upload if necessary. There are three typical cases where this can happen.
  1. Where someone pushes a change to bzr and someone else uploads the package without that change. This is the reason that this check is done by the importer. If this appears to be the case then a merge/upload should be done if the changes that were in bzr are still desirable.
  2. The importer incorrectly detected the above situation when someone made a change in bzr and then uploaded it.
  3. The importer incorrectly detected the above situation when someone just uploaded a package and didn't touch bzr.

If this case doesn't appear to be the first situation then set the status of the merge proposal to "Rejected" and help avoid the problem in future by filing a bug at https://bugs.launchpad.net/udd linking to this merge proposal.

(this is an automatically generated message)

To post a comment you must log in.

Unmerged revisions

80. By Colin Watson

releasing version 1.0.1-4ubuntu4

79. By Colin Watson

merge 1.0.1-4ubuntu3

78. By Colin Watson

Check TLS1_get_client_version rather than TLS1_get_version for client
hello cipher list truncation, in a further attempt to get things working
again for everyone (LP: #986147).

77. By Colin Watson

releasing version 1.0.1-4ubuntu2

76. By Colin Watson

* Backport more upstream patches to work around TLS 1.2 failures
  (LP #965371):
  - Do not use record version number > TLS 1.0 in initial client hello:
    some (but not all) hanging servers will now work.
  - Truncate the number of ciphers sent in the client hello to 50. Most
    broken servers should now work.
  - Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
  sites listed in the above bug and its duplicates still fail if I do that
  versus leaving it disabled.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2012-04-19 10:31:06 +0000
3+++ debian/changelog 2013-12-11 06:23:47 +0000
4@@ -1,12 +1,32 @@
5-openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low
6-
7- * SECURITY UPDATE: fix various overflows
8- - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
9- crypto/buffer.c and crypto/mem.c to verify size of lengths
10- - CVE-2012-2110
11-
12- -- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -0500
13-
14+<<<<<<< TREE
15+openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low
16+
17+ * SECURITY UPDATE: fix various overflows
18+ - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
19+ crypto/buffer.c and crypto/mem.c to verify size of lengths
20+ - CVE-2012-2110
21+
22+ -- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -0500
23+
24+=======
25+openssl (1.0.1-4ubuntu4) precise-proposed; urgency=low
26+
27+ * Check TLS1_get_client_version rather than TLS1_get_version for client
28+ hello cipher list truncation, in a further attempt to get things working
29+ again for everyone (LP: #986147).
30+
31+ -- Colin Watson <cjwatson@ubuntu.com> Tue, 24 Apr 2012 14:05:50 +0100
32+
33+openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low
34+
35+ * SECURITY UPDATE: fix various overflows
36+ - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
37+ crypto/buffer.c and crypto/mem.c to verify size of lengths
38+ - CVE-2012-2110
39+
40+ -- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -0500
41+
42+>>>>>>> MERGE-SOURCE
43 openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low
44
45 * Backport more upstream patches to work around TLS 1.2 failures
46
47=== modified file 'debian/patches/tls12_workarounds.patch'
48--- debian/patches/tls12_workarounds.patch 2012-04-18 14:01:08 +0000
49+++ debian/patches/tls12_workarounds.patch 2013-12-11 06:23:47 +0000
50@@ -55,7 +55,7 @@
51 + * as hack workaround chop number of supported ciphers
52 + * to keep it well below this if we use TLS v1.2
53 + */
54-+ if (TLS1_get_version(s) >= TLS1_2_VERSION
55++ if (TLS1_get_client_version(s) >= TLS1_2_VERSION
56 + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
57 + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
58 +#endif
59
60=== modified file 'ssl/s23_clnt.c'
61--- ssl/s23_clnt.c 2012-04-18 14:01:08 +0000
62+++ ssl/s23_clnt.c 2013-12-11 06:23:47 +0000
63@@ -474,7 +474,7 @@
64 * as hack workaround chop number of supported ciphers
65 * to keep it well below this if we use TLS v1.2
66 */
67- if (TLS1_get_version(s) >= TLS1_2_VERSION
68+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION
69 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
70 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
71 #endif

Subscribers

People subscribed via source and target branches

to all changes: