Last commit made on 2016-04-02
Get this branch:
git clone -b debian/wheezy https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

13bb755... by Kurt Roeckx on 2016-02-28

Import patches-unapplied version 1.0.1e-2+deb7u20 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: ac669d9052051f16d6a3c3b95af0014fdacef43a

New changelog entries:
  * Fix CVE-2016-0797
  * Fix CVE-2016-0798
  * Fix CVE-2016-0799
  * Fix CVE-2016-0702
  * Fix CVE-2016-0705
  * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800)
    makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them
  * Non-maintainer upload by the Security Team.
  * Add CVE-2015-7575.patch patch.
    CVE-2015-7575: SLOTH: Security Losses from Obsolete and Truncated
    Transcript Hashes.
  * Fix CVE-2015-3194
  * Fix CVE-2015-3195
  * Fix CVE-2015-3196

ac669d9... by Kurt Roeckx on 2015-06-13

Import patches-unapplied version 1.0.1e-2+deb7u17 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 831aec6185dc0a183186d19d4d105a60b7595abc

New changelog entries:
  * Fix CVE-2015-1791
  * Fix CVE-2015-1792
  * Fix CVE-2015-1789
  * Fix CVE-2015-1790
  * Fix CVE-2015-1788
  * Fix CVE-2015-4000
  * Fix CVE-2014-8176
  * Revert patch 0003-Free-up-passed-ASN.1-structure-if-reused.patch, it
    breaks nginx and doesn't have a security issue
  * Add patch 0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
    as follow up to CVE-2015-0209
  * Fix CVE-2015-0286
  * Fix CVE-2015-0287
  * Fix CVE-2015-0289
  * Fix CVE-2015-0292
  * Fix CVE-2015-0293 (not affected, SSLv2 disabled)
  * Fix CVE-2015-0209
  * Fix CVE-2015-0288
  * Remove export ciphers from DEFAULT.
  * Make DTLS always act as if read_ahead is set. This fixes a regression
    introduce by the fix for CVE-2014-3571. (Closes: #775502)
  * Fix error codes.
  - Fix for CVE-2014-3571
  - Fix for CVE-2015-0206
  - Fix for CVE-2014-3569
  - Fix for CVE-2014-3572
  - Fix for CVE-2015-0204
  - Fix for CVE-2015-0205
  - Fix for CVE-2014-8275
  - Fix for CVE-2014-3570

831aec6... by Kurt Roeckx on 2014-10-15

Import patches-unapplied version 1.0.1e-2+deb7u13 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b92ccaf172c3644b247baf5f5ad1b8a335c2186c

New changelog entries:
  * Fixes CVE-2014-3513
  * Fixes CVE-2014-3567
  * Add Fallback SCSV support to mitigate CVE-2014-3566
  * Fixes CVE-2014-3568

b92ccaf... by Kurt Roeckx on 2014-08-06

Import patches-unapplied version 1.0.1e-2+deb7u12 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7ce8ead691ca3af8c0700da650ebe52a66f1f391

New changelog entries:
  * Fix for CVE-2014-3512
  * Fix for CVE-2014-3511
  * Fix for CVE-2014-3510
  * Fix for CVE-2014-3507
  * Fix for CVE-2014-3506
  * Fix for CVE-2014-3505
  * Fix for CVE-2014-3509
  * Fix for CVE-2014-5139
  * Fix for CVE-2014-3508

7ce8ead... by Kurt Roeckx on 2014-06-15

Import patches-unapplied version 1.0.1e-2+deb7u11 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 73e4ed92a92cef9da45fd93967546ff998d04016

New changelog entries:
  * Update fix for CVE-2014-0224 to work with more renegiotation and
    resumption cases. (Closes: #751093)
  * Fix CVE-2012-4929 (CRiME) by disabling zlib compression by default.
    It can be enabled again by setting the environment variable
    OPENSSL_NO_DEFAULT_ZLIB. (Closes: #728055)
  * Update ECDHE-ECDSA_Safari.patch to define SSL_OP_MSIE_SSLV2_RSA_PADDING
    again but to 0 so things keep building. (Closes: #751457)
  * Fix CVE-2014-0224
  * Fix CVE-2014-0221
  * Fix CVE-2014-0195
  * Fix CVE-2014-3470
  * Fix CVE-2014-0198 (Closes: #747432)
  * Don't prefer ECDHE_ECDSA with some Safari versions
    This also adds the SSL_OP_SAFARI_ECDHE_ECDSA_BUG option.
  * Actually restart the services when restart-without-asking is set.
    (Closes: #745801)

73e4ed9... by Raphael Geissert on 2014-04-17

Import patches-unapplied version 1.0.1e-2+deb7u7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ff233782af9b35e4c429a55accd685c793543108

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * Fix CVE-2010-5298: use-after-free race condition.
  * Add a versioned dependency from openssl to libssl1.0.0 to a version
    that has the fix for CVE-2014-0160 (Closes: #744194).
  * Propose restarting prosody on upgrade (Closes: #744871).
  * Correctly detect apache2 installations and propose it to be
    restarted (Closes: #744141).
  * Add more services to be checked for restart.
  * Fix a bug where the critical flag for TSA extended key usage is not
    always detected, and two other similar cases.
  * Add support for 'libraries/restart-without-asking', which allows
    services to be restarted automatically without prompting, or
    requiring a response instead.
  * Fix CVE-2014-0076: "Yarom/Benger FLUSH+RELOAD Cache Side-channel Attack"
    (Closes: #742923).
  * Non-maintainer upload by the Security Team.
  * Enable checking for services that may need to be restarted
  * Update list of services to possibly restart
  * Non-maintainer upload by the Security Team.
  * Add CVE-2014-0160.patch patch.
    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
    A missing bounds check in the handling of the TLS heartbeat extension
    can be used to reveal up to 64k of memory to a connected client or

ff23378... by Kurt Roeckx on 2014-02-01

Import patches-unapplied version 1.0.1e-2+deb7u4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 05b54a0cf8b6dcdcbc4727cf5a25c42dc1c94f3d

New changelog entries:
  * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
  * Enable assembler for the arm targets, and remove armeb.
    Patch by Riku Voipio <email address hidden> (Closes: #676533)
  * Don't change version number if session established
  * The patch we applied for CVE-2013-6450 was causing segfaults,
    also apply the previous commit checking for NULL in
  * Fix for TLS record tampering bug CVE-2013-4353
  * Fix CVE-2013-6449 (Closes: #732754)
  * Fix CVE-2013-6450
  * disable rdrand by default. It was used as only source of entropy when
    available. (Closes: #732710)
  * Disable Dual EC DRBG.

05b54a0... by Kurt Roeckx on 2013-03-18

Import patches-unapplied version 1.0.1e-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e19510efe2346627266c179dc39dc63e98114a4b

New changelog entries:
  * Bump shlibs. It's needed for the udeb.
  * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
  * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
  * Fix problem with DTLS version check (Closes: #701826)
  * Fix segfault in SSL_get_certificate (Closes: #703031)

e19510e... by Kurt Roeckx on 2013-02-11

Import patches-unapplied version 1.0.1e-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 23d2b7c8d282b3bd60601b7c48cf594106d126ef

New changelog entries:
  * New upstream version (Closes: #699889)
    - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
    - Drop renegiotate_tls.patch, applied upstream
    - Export new CRYPTO_memcmp symbol, update symbol file
  * Add ssltest_no_sslv2.patch so that "make test" works.
  * Re-enable assembler versions on sparc. They shouldn't have
    been disabled for sparc v9. (Closes: #649841)

23d2b7c... by Kurt Roeckx on 2012-07-17

Import patches-unapplied version 1.0.1c-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 79e8663eddb6e1140f68c98add690f24351da12e

New changelog entries:
  * Fix the configure rules for alpha (Closes: #672710)
  * Switch the postinst to sh again, there never was a reason to
    switch it to bash (Closes: #676398)
  * Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
    preprocessed. We generate the file again for pic anyway.
    (Closes: #677468)
  * Drop Breaks against openssh as it was only for upgrades
    between versions that were only in testing/unstable.
    (Closes: #668600)