lp:ubuntu/trusty/openssl

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

102. By Marc Deslauriers on 2014-04-07

* SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
  - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
    crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
    util/libeay.num.
  - CVE-2014-0076
* SECURITY UPDATE: memory disclosure in TLS heartbeat extension
  - debian/patches/CVE-2014-0160.patch: use correct lengths in
    ssl/d1_both.c, ssl/t1_lib.c.
  - CVE-2014-0160

101. By Marc Deslauriers on 2014-01-08

* Merge with Debian, remaining changes.
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
  - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    code.
  - debian/rules: Enable optimized 64bit elliptic curve code contributed
    by Google.
* Dropped changes:
  - debian/patches/arm64-support: included in debian-targets.patch
  - debian/patches/no_default_rdrand.patch: upstream
  - debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely
    disabled in debian/rules

100. By Marc Deslauriers on 2013-12-19

debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
default unless explicitly requested.

99. By Matthias Klose on 2013-12-05

Update debian configuration.

98. By Marc Deslauriers on 2013-12-04

* Re-enable full TLSv1.2 support (LP: #1257877)
  - debian/patches/tls12_workarounds.patch: disable patch to re-enable
    full TLSv1.2 support. Most problematic sites have been fixed now, and
    we really want proper TLSv1.2 support in an LTS.

97. By Matthias Klose on 2013-12-04

Merge with Debian; remaining changes same as in 1.0.1e-3ubuntu1.

96. By Matthias Klose on 2013-07-15

* Merge with Debian, remaining changes.
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates rather
    than exactly one.
  - debian/patches/tls12_workarounds.patch: Workaround large client hello
    issues when TLS 1.1 and lower is in use
  - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
  - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    code.
  - debian/patches/arm64-support: Add basic arm64 support (no assembler)
  - debian/rules: Enable optimized 64bit elliptic curve code contributed
    by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
  in test suite since we disable it in the client.
* Disable compression to avoid CRIME systemwide (CVE-2012-4929).
* Dropped changes:
  - debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian.

95. By Seth Arnold on 2013-06-03

* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
  (LP: #1187195)
  - CVE-2012-4929
  - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
    zlib to compress SSL/TLS unless the environment variable
    OPENSSL_DEFAULT_ZLIB is set in the environment during library
    initialization.
  - Introduced to assist with programs not yet updated to provide their own
    controls on compression, such as Postfix
  - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch

94. By Marc Deslauriers on 2013-05-21

* Resynchronise with Debian unstable. Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building. Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates rather
    than exactly one.
  - debian/patches/tls12_workarounds.patch: Workaround large client hello
    issues when TLS 1.1 and lower is in use
  - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
  - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
    code.
  - debian/patches/arm64-support: Add basic arm64 support (no assembler)
  - debian/rules: Enable optimized 64bit elliptic curve code contributed
    by Google.
* debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
  in test suite since we disable it in the client.
* Dropped changes:
  - debian/patches/CVE-2013-0169.patch: upstream.
  - debian/patches/fix_key_decoding_deadlock.patch: upstream.
  - debian/patches/CVE-2013-0166.patch: upstream.

93. By Marc Deslauriers on 2013-03-19

* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
    commit from upstream to fix regression.
  - CVE-2013-0169