Ubuntu
openssl package

Merge lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155 into lp:ubuntu/precise/openssl

  1. Precise (12.04)
  2. precise-201312110155
  3. Merge into precise
Proposed by Ubuntu Package Importer
Status: Needs review
Proposed branch: lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155
Merge into: lp:ubuntu/precise/openssl
Diff against target: 71 lines (+31/-11) (has conflicts)
3 files modified
debian/changelog (+29/-9)
debian/patches/tls12_workarounds.patch (+1/-1)
ssl/s23_clnt.c (+1/-1)
Text conflict in debian/changelog
To merge this branch: bzr merge lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+198499@code.launchpad.net

Description of the change

The package importer has detected a possible inconsistency between the package history in the archive and the history in bzr. As the archive is authoritative the importer has made lp:ubuntu/precise/openssl reflect what is in the archive and the old bzr branch has been pushed to lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201312110155. This merge proposal was created so that an Ubuntu developer can review the situations and perform a merge/upload if necessary. There are three typical cases where this can happen.
  1. Where someone pushes a change to bzr and someone else uploads the package without that change. This is the reason that this check is done by the importer. If this appears to be the case then a merge/upload should be done if the changes that were in bzr are still desirable.
  2. The importer incorrectly detected the above situation when someone made a change in bzr and then uploaded it.
  3. The importer incorrectly detected the above situation when someone just uploaded a package and didn't touch bzr.

If this case doesn't appear to be the first situation then set the status of the merge proposal to "Rejected" and help avoid the problem in future by filing a bug at https://bugs.launchpad.net/udd linking to this merge proposal.

(this is an automatically generated message)

To post a comment you must log in.

Unmerged revisions

80. By Colin Watson

releasing version 1.0.1-4ubuntu4

79. By Colin Watson

merge 1.0.1-4ubuntu3

78. By Colin Watson

Check TLS1_get_client_version rather than TLS1_get_version for client
hello cipher list truncation, in a further attempt to get things working
again for everyone (LP: #986147).

77. By Colin Watson

releasing version 1.0.1-4ubuntu2

76. By Colin Watson

* Backport more upstream patches to work around TLS 1.2 failures
  (LP #965371):
  - Do not use record version number > TLS 1.0 in initial client hello:
    some (but not all) hanging servers will now work.
  - Truncate the number of ciphers sent in the client hello to 50. Most
    broken servers should now work.
  - Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
  sites listed in the above bug and its duplicates still fail if I do that
  versus leaving it disabled.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2012-04-19 10:31:06 +0000
+++ debian/changelog 2013-12-11 06:23:47 +0000
@@ -1,12 +1,32 @@
1openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low1<<<<<<< TREE
22openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low
3 * SECURITY UPDATE: fix various overflows3
4 - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,4 * SECURITY UPDATE: fix various overflows
5 crypto/buffer.c and crypto/mem.c to verify size of lengths5 - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
6 - CVE-2012-21106 crypto/buffer.c and crypto/mem.c to verify size of lengths
77 - CVE-2012-2110
8 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -05008
99 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -0500
10
11=======
12openssl (1.0.1-4ubuntu4) precise-proposed; urgency=low
13
14 * Check TLS1_get_client_version rather than TLS1_get_version for client
15 hello cipher list truncation, in a further attempt to get things working
16 again for everyone (LP: #986147).
17
18 -- Colin Watson <cjwatson@ubuntu.com> Tue, 24 Apr 2012 14:05:50 +0100
19
20openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low
21
22 * SECURITY UPDATE: fix various overflows
23 - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
24 crypto/buffer.c and crypto/mem.c to verify size of lengths
25 - CVE-2012-2110
26
27 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 19 Apr 2012 10:31:06 -0500
28
29>>>>>>> MERGE-SOURCE
10openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low30openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low
1131
12 * Backport more upstream patches to work around TLS 1.2 failures32 * Backport more upstream patches to work around TLS 1.2 failures
1333
=== modified file 'debian/patches/tls12_workarounds.patch'
--- debian/patches/tls12_workarounds.patch 2012-04-18 14:01:08 +0000
+++ debian/patches/tls12_workarounds.patch 2013-12-11 06:23:47 +0000
@@ -55,7 +55,7 @@
55+ * as hack workaround chop number of supported ciphers55+ * as hack workaround chop number of supported ciphers
56+ * to keep it well below this if we use TLS v1.256+ * to keep it well below this if we use TLS v1.2
57+ */57+ */
58+ if (TLS1_get_version(s) >= TLS1_2_VERSION58+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION
59+ && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)59+ && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
60+ i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;60+ i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
61+#endif61+#endif
6262
=== modified file 'ssl/s23_clnt.c'
--- ssl/s23_clnt.c 2012-04-18 14:01:08 +0000
+++ ssl/s23_clnt.c 2013-12-11 06:23:47 +0000
@@ -474,7 +474,7 @@
474 * as hack workaround chop number of supported ciphers474 * as hack workaround chop number of supported ciphers
475 * to keep it well below this if we use TLS v1.2475 * to keep it well below this if we use TLS v1.2
476 */476 */
477 if (TLS1_get_version(s) >= TLS1_2_VERSION477 if (TLS1_get_client_version(s) >= TLS1_2_VERSION
478 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)478 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
479 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;479 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
480#endif480#endif

Subscribers

People subscribed via source and target branches

to all changes: