lp:ubuntu/quantal/openssl
- Get this branch:
- bzr branch lp:ubuntu/quantal/openssl
Branch merges
Branch information
- Owner:
- Ubuntu branches
- Status:
- Mature
Recent revisions
- 85. By Tyler Hicks
-
[ Tyler Hicks <email address hidden> ]
* debian/patches/ tls12_workaroun ds.patch: Readd the change to check
TLS1_get_client_ version rather than TLS1_get_version to fix incorrect
client hello cipher list truncation when TLS 1.1 and lower is in use.
(LP: #1051892)[ Micah Gersten <email address hidden> ]
* Mark Debian Vcs-* as XS-Debian-Vcs-*
- update debian/control - 84. By Marc Deslauriers
-
* Resynchronise with Debian. Remaining changes:
- debian/libssl1. 0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart- services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libssl1. 0.0-udeb. dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
in Debian).
- debian/{libcrypto1. 0.0-udeb. dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/ perlpath- quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Don't build for processors no longer supported: i586 (on i386)
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- Unapply patch c_rehash-multi and comment it out in the series as it
breaks parsing of certificates with CRLF line endings and other cases
(see Debian #642314 for discussion), it also changes the semantics of
c_rehash directories by requiring applications to parse hash link
targets as files containing potentially *multiple* certificates rather
than exactly one.
- Bump version passed to dh_makeshlibs to 1.0.1 for new symbols.
- debian/patches/ tls12_workaroun ds.patch: workaround large client hello
issue: Compile with -DOPENSSL_MAX_TLS1_ 2_CIPHER_ LENGTH= 50 and
with -DOPENSSL_NO_TLS1_ 2_CLIENT.
* Dropped upstreamed patches:
- debian/patches/ CVE-2012- 2110.patch
- debian/patches/ CVE-2012- 2110b.patch
- debian/patches/ CVE-2012- 2333.patch
- debian/patches/ CVE-2012- 0884-extra. patch
- most of debian/patches/ tls12_workaroun ds.patch - 83. By Steve Beattie
-
* SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and
TLS v1.2 implementation
- debian/patches/ CVE_2012- 2333.patch: guard for integer overflow
before skipping explicit IV
- CVE-2012-2333
* debian/patches/ CVE-2012- 0884-extra. patch: initialize tkeylen
properly when encrypting CMS messages. - 82. By Jamie Strandboge
-
debian/
patches/ CVE-2012- 2110b.patch: Use correct error code in
BUF_MEM_grow_clean( ) - 81. By Jamie Strandboge
-
* SECURITY UPDATE: fix various overflows
- debian/patches/ CVE-2012- 2110.patch: adjust crypto/a_d2i_fp.c,
crypto/buffer.c and crypto/mem.c to verify size of lengths
- CVE-2012-2110 - 78. By Colin Watson
-
Check TLS1_get_
client_ version rather than TLS1_get_version for client
hello cipher list truncation, in a further attempt to get things working
again for everyone (LP: #986147). - 76. By Colin Watson
-
* Backport more upstream patches to work around TLS 1.2 failures
(LP #965371):
- Do not use record version number > TLS 1.0 in initial client hello:
some (but not all) hanging servers will now work.
- Truncate the number of ciphers sent in the client hello to 50. Most
broken servers should now work.
- Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
sites listed in the above bug and its duplicates still fail if I do that
versus leaving it disabled.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/raring/openssl