lp:ubuntu/quantal/openssl

Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/quantal/openssl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Mature

Recent revisions

85. By Tyler Hicks

[ Tyler Hicks <email address hidden> ]
* debian/patches/tls12_workarounds.patch: Readd the change to check
  TLS1_get_client_version rather than TLS1_get_version to fix incorrect
  client hello cipher list truncation when TLS 1.1 and lower is in use.
  (LP: #1051892)

[ Micah Gersten <email address hidden> ]
* Mark Debian Vcs-* as XS-Debian-Vcs-*
  - update debian/control

84. By Marc Deslauriers

* Resynchronise with Debian. Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates rather
    than exactly one.
  - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
  - debian/patches/tls12_workarounds.patch: workaround large client hello
    issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and
    with -DOPENSSL_NO_TLS1_2_CLIENT.
* Dropped upstreamed patches:
  - debian/patches/CVE-2012-2110.patch
  - debian/patches/CVE-2012-2110b.patch
  - debian/patches/CVE-2012-2333.patch
  - debian/patches/CVE-2012-0884-extra.patch
  - most of debian/patches/tls12_workarounds.patch

83. By Steve Beattie

* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
  TLS v1.2 implementation
  - debian/patches/CVE_2012-2333.patch: guard for integer overflow
    before skipping explicit IV
  - CVE-2012-2333
* debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen
  properly when encrypting CMS messages.

82. By Jamie Strandboge

debian/patches/CVE-2012-2110b.patch: Use correct error code in
BUF_MEM_grow_clean()

81. By Jamie Strandboge

* SECURITY UPDATE: fix various overflows
  - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c,
    crypto/buffer.c and crypto/mem.c to verify size of lengths
  - CVE-2012-2110

80. By Colin Watson

releasing version 1.0.1-4ubuntu4

79. By Colin Watson

merge 1.0.1-4ubuntu3

78. By Colin Watson

Check TLS1_get_client_version rather than TLS1_get_version for client
hello cipher list truncation, in a further attempt to get things working
again for everyone (LP: #986147).

77. By Colin Watson

releasing version 1.0.1-4ubuntu2

76. By Colin Watson

* Backport more upstream patches to work around TLS 1.2 failures
  (LP #965371):
  - Do not use record version number > TLS 1.0 in initial client hello:
    some (but not all) hanging servers will now work.
  - Truncate the number of ciphers sent in the client hello to 50. Most
    broken servers should now work.
  - Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
  sites listed in the above bug and its duplicates still fail if I do that
  versus leaving it disabled.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/raring/openssl
This branch contains Public information 
Everyone can see this information.

Subscribers