lp:ubuntu/trusty/openssl

Created by James Westby on 2013-10-20 and last modified on 2014-04-07
Get this branch:
bzr branch lp:ubuntu/trusty/openssl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Mature

Recent revisions

102. By Marc Deslauriers on 2014-04-07

* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
  - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
    crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
    util/libeay.num.
  - CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
  - debian/patches/CVE-2014-0160.patch: use correct lengths in
    ssl/d1_both.c, ssl/t1_lib.c.
  - CVE-2014-0160

101. By Marc Deslauriers on 2014-01-08

* Merge with Debian, remaining changes.
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
  - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    code.
  - debian/rules: Enable optimized 64bit elliptic curve code contributed
    by Google.
* Dropped changes:
  - debian/patches/arm64-support: included in debian-targets.patch
  - debian/patches/no_default_rdrand.patch: upstream
  - debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely
    disabled in debian/rules

100. By Marc Deslauriers on 2013-12-19

debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
default unless explicitly requested.

99. By Matthias Klose on 2013-12-05

Update debian configuration.

98. By Marc Deslauriers on 2013-12-04

* Re-enable full TLSv1.2 support (LP: #1257877)
  - debian/patches/tls12_workarounds.patch: disable patch to re-enable
    full TLSv1.2 support. Most problematic sites have been fixed now, and
    we really want proper TLSv1.2 support in an LTS.

97. By Matthias Klose on 2013-12-04

Merge with Debian; remaining changes same as in 1.0.1e-3ubuntu1.

96. By Matthias Klose on 2013-07-15

* Merge with Debian, remaining changes.
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates rather
    than exactly one.
  - debian/patches/tls12_workarounds.patch: Workaround large client hello
    issues when TLS 1.1 and lower is in use
  - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
  - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    code.
  - debian/patches/arm64-support: Add basic arm64 support (no assembler)
  - debian/rules: Enable optimized 64bit elliptic curve code contributed
    by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
  in test suite since we disable it in the client.
* Disable compression to avoid CRIME systemwide (CVE-2012-4929).
* Dropped changes:
  - debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian.

95. By Seth Arnold on 2013-06-03

* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
  (LP: #1187195)
  - CVE-2012-4929
  - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
    zlib to compress SSL/TLS unless the environment variable
    OPENSSL_DEFAULT_ZLIB is set in the environment during library
    initialization.
  - Introduced to assist with programs not yet updated to provide their own
    controls on compression, such as Postfix
  - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch

94. By Marc Deslauriers on 2013-05-21

* Resynchronise with Debian unstable. Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates rather
    than exactly one.
  - debian/patches/tls12_workarounds.patch: Workaround large client hello
    issues when TLS 1.1 and lower is in use
  - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
  - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    code.
  - debian/patches/arm64-support: Add basic arm64 support (no assembler)
  - debian/rules: Enable optimized 64bit elliptic curve code contributed
    by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
  in test suite since we disable it in the client.
* Dropped changes:
  - debian/patches/CVE-2013-0169.patch: upstream.
  - debian/patches/fix_key_decoding_deadlock.patch: upstream.
  - debian/patches/CVE-2013-0166.patch: upstream.

93. By Marc Deslauriers on 2013-03-19

* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
    commit from upstream to fix regression.
  - CVE-2013-0169

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/utopic/openssl
This branch contains Public information 
Everyone can see this information.

Subscribers