Last commit made on 2007-10-22
Get this branch:
git clone -b ubuntu/edgy-devel https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

5269331... by Kees Cook on 2007-10-19

Import patches-unapplied version 0.9.8b-2ubuntu2.2 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: b694aa77a81e3dbd86c840e10494ae8e66bb8845

New changelog entries:
  * SECURITY UPDATE: DTLS implementation can lead to remote code execution.
  * ssl/{ssl_err,d1_both}.c, ssl/{dtls1,ssl}.h: patched inline with upstream
    fixes backported thanks to Ludwig Nussel.
  * References

b694aa7... by Kees Cook on 2007-09-28

Import patches-unapplied version 0.9.8b-2ubuntu2.1 to ubuntu/edgy-security

Imported using git-ubuntu import.

Changelog parent: c2a591602a7725d3b7e2e924263ca510d4e2ced8

New changelog entries:
  [ Jamie Strandboge ]
  * SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in
    buffer overflow
  * ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to
    Stephan Hermann
  * References:
    Fixes LP: #146269
  [ Kees Cook ]
  * SECURITY UPDATE: side-channel attacks via BN_from_montgomery function.
  * crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian.
  * References

c2a5916... by Martin Pitt on 2006-09-27

Import patches-unapplied version 0.9.8b-2ubuntu2 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: cfbe33d02b2140df9d76b6d7e8a8825f9863004e

New changelog entries:
  * SECURITY UPDATE: Remote arbitrary code execution, remote DoS.
  * crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
    an infinite loop in some circumstances. [CVE-2006-2937]
  * ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
    handle invalid long cipher list strings. [CVE-2006-3738]
  * ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
    avoid client crash with malicious server responses. [CVE-2006-4343]
  * Certain types of public key could take disproportionate amounts of time to
    process. Apply patch from Bodo Moeller to impose limits to public key type
    values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]
  * Updated patch in previous package version to fix a few corner-case
    regressions. (This reverts the changes to rsa_eay.c/rsa.h/rsa_err.c, which
    were determined to not be necessary).

cfbe33d... by Martin Pitt on 2006-09-05

Import patches-unapplied version 0.9.8b-2ubuntu1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 8191a6416381cc66efbd303b090cc1fd079fe3f4

New changelog entries:
  * SECURITY UPDATE: signature forgery in some cases.
  * Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
    - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
      applications from incorrectly verifying the certificate.
  * References:

8191a64... by Colin Watson on 2006-07-31

Import patches-unapplied version 0.9.8b-2build1 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: 365a564ba4f195916b6830f8367ef4f892a770ec

New changelog entries:
  * Rebuild with current zlib1g-dev to fix udeb shlibdeps.

365a564... by Kurt Roeckx on 2006-05-15

Import patches-unapplied version 0.9.8b-2 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: f66058c6720a830b88820a5aa97b08c417c851be

New changelog entries:
  * Don't call gcc with -mcpu on i386, we already use -march, so no need for
    -mtune either.
  * Always make all directories when building something:
    - The engines directory didn't get build for the static directory, so
      where missing in libcrypo.a
    - The apps directory didn't always get build, so we didn't have an openssl
      and a small part of the regression tests failed.
  * Make the package fail to build if the regression tests fail.
  * New upstream release
    - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs.
    - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE
      instead of FALSE.
    - CA.pl/CA.sh creates crlnumber now. (Closes: #347612)
  * Run debconf-updatepo, which really already was in the 0.9.8a-8 version
    as it was uploaded.
  * Add Galician debconf translation. Patch from
    Jacobo Tarrio <email address hidden> (Closes: #361266)
  * libssl0.9.8.postinst makes uses of bashisms (local variables)
    so use #!/bin/bash
  * libssl0.9.8.postinst: Call set -e after sourcing the debconf
  * libssl0.9.8.postinst: Change list of service that may need
    to be restarted:
    - Replace ssh by openssh-server
    - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1
    - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour
      fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql
  * libssl0.9.8.postinst: The check to see if something was installed
    wasn't working.
  * libssl0.9.8.postinst: Add workaround to find the name of the init
    script for proftpd and dovecot.
  * libssl0.9.8.postinst: Use invoke-rc.d when it's available.
  * Change Standards-Version to 3.7.0:
    - Make use of invoke-rc.d
  * Add comment to README.Debian that rc5, mdc2 and idea have been
    disabled (since 0.9.6b-3) (Closes: #362754)
  * Don't add uninitialised data to the random number generator. This stop
    valgrind from giving error messages in unrelated code.
    (Closes: #363516)
  * Put the FAQ in the openssl docs.
  * Add russian debconf translations from Yuriy Talakan <email address hidden>
    (Closes #367216)
  * Call pod2man with the proper section. Section changed
    from 1/3/5/7 to 1SSL/3SSL/5SSL/7SSL. The name of the files
    already had the ssl in, the section didn't. The references
    to other manpage is still wrong.
  * Don't install the LICENSE file, it's already in the copyright file.
  * Don't set an rpath on openssl to point to /usr/lib.
  * Add support for kfreebsd-amd64. (Closes: #355277)
  * Add udeb to the shlibs. Patch from Frans Pop <email address hidden>
    (Closes: #356908)
  * Add italian debconf templates. Thanks to Luca Monducci.
    (Closes: #350249)
  * Change the debconf question to use version 0.9.8-3
    instead of 0.9.8-1, since that's the last version
    with a security fix.
  * Call conn_state() if the BIO is not in the BIO_CONN_S_OK state
    (Closes: #352047). RC bug affecting testing, so urgency high.
  * Remove empty postinst/preinst/prerm scripts. There is no need
    to have empty ones, debhelper will add them when needed.
  * Remove the static pic libraries. Nobody should be linking
    it's shared libraries static to libssl or libcrypto.
    This was added for opensc who now links to it shared.
  * Do not assume that in case the sequence number is 0 and the
    packet has an odd number of bytes that the other side has
    the block padding bug, but try to check that it actually
    has the bug. The wrong detection of this bug resulted
    in an "decryption failed or bad record mac" error in case
    both sides were using zlib compression. (Closes: #338006)

f66058c... by Kurt Roeckx on 2005-12-13

Import patches-unapplied version 0.9.8a-5 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 356487a868d6cbf990cddfd08c115d6d0c946072

New changelog entries:
  * Stop ssh from crashing randomly on sparc (Closes: #335912)
    Patch from upstream cvs.
  * Call dh_makeshlibs with the proper version instead of putting
    it in shlibs.local, which doesn't seem to do anything. 0.9.8a-1
    added symbol versioning, so it should have bumped the shlibs.
    (Closes: #338284)
  * The openssl package had a duplicate dependency on libssl0.9.8,
    only require the version as required by the shlibs.
  * Make libssl-dev depend on zlib1g-dev, since it's now required for
    static linking. (Closes: #338313)
  * Generate .pc files that make use of Libs.private, so things only
    link to the libraries they should when linking shared.
  * Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486)
  * Make powerpc and ppc64 use the assembler version for bn. ppc64
    had the location in the string wrong, powerpc had it missing.
  * Add includes for stddef to get size_t in md2.h, md4.h, md5.h,
    ripemd.h and sha.h. (Closes: #333101)
  * Run make test for each of the versions we build, make it
    not fail the build process if an error is found.
  * Add build dependency on bc for the regression tests.
  * Link to libz instead of dynamicly loading it. It gets loaded
    at the moment the library is initialised, so there is no point
    in not linking to it. It's now failing in some cases since
    it's not opened by it's soname, but by the symlink to it.
    This should hopefully solve most of the bugs people have reported
    since the move to libssl0.9.8.
    (Closes: #334180, #336140, #335271)
  * Urgency set to high because it fixes a grave bug affecting testing.
  * Add Build-Dependency on m4, since sparc needs it to generate
    it's assembler files. (Closes: #334542)
  * Don't use rc4-x86_64.o on amd64 for now, it seems to be broken
    and causes a segfault. (Closes: #334501, #334502)
  Christoph Martin:
  * fix asm entries for some architectures, fixing #332758 properly.
  * add noexecstack option to i386 subarch
  * include symbol versioning in Configure (closes: #330867)
  * include debian-armeb arch (closes: #333579)
  * include new upstream patches; includes some minor fixes
  * fix dh_shlibdeps line, removing the redundant dependency on
    libssl0.9.8 (closes: #332755)
  * add swedish debconf template (closes: #330554)
  Kurt Roeckx:
  * Also add noexecstack option for amd64, since it now has an
    executable stack with the assembler fixes for amd64.
  * Apply security fix for CAN-2005-2969. (Closes: #333500)
  * Change priority of -dbg package to extra.
  * Don't use arch specific assembler. Should fix build failure on
    ia64, sparc and amd64. (Closes: #332758)
  * Add myself to the uploaders.
  * New upstream release (closes: #311826)
  * change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386
    (closes: #327692)
  * include -dbg version. That implies compiling with -g and without
    -fomit-frame-pointer (closes: #293823, #153811)
  * really include nl translation
  * remove special ia64 code from rc4 code to make the abi compatible to
    older 0.9.7 versions (closes: #310489, #309274)
  * fix compile flag for debian-ppc64 (closes: #318750)
  * small fix in libssl0.9.7.postinst (closes: #239956)
  * fix pk7_mime.c to prevent garbled messages because of to early memory
    free (closes: #310184)
  * include vietnamese debconf translation (closes: #316689)
  * make optimized i386 libraries have non executable stack (closes:
  * remove leftover files from ssleay
  * move from dh_installmanpages to dh_installman
  * change Maintainer to <email address hidden>
  * New upstream release
    * Added support for proxy certificates according to RFC 3820.
      Because they may be a security thread to unaware applications,
      they must be explicitely allowed in run-time. See
      docs/HOWTO/proxy_certificates.txt for further information.
    * Prompt for pass phrases when appropriate for PKCS12 input format.
    * Back-port of selected performance improvements from development
      branch, as well as improved support for PowerPC platforms.
    * Add lots of checks for memory allocation failure, error codes to indicate
      failure and freeing up memory if a failure occurs.
    * Perform some character comparisons of different types in X509_NAME_cmp:
      this is needed for some certificates that reencode DNs into UTF8Strings
      (in violation of RFC3280) and can't or wont issue name rollover
  * corrected watchfile
  * added upstream source url (closes: #292904)
  * fix typo in CA.pl.1 (closes: #290271)
  * change debian-powerpc64 to debian-ppc64 and adapt the configure
    options to be the same like upstream (closes: #289841)
  * include -signcert option in CA.pl usage
  * compile with zlib-dynamic to use system zlib (closes: #289872)

356487a... by Christoph Martin <email address hidden> on 2004-12-16

Import patches-unapplied version 0.9.7e-3 to ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: e75c4ef37c48280805a3b468cdaecc1f13aba5d4

New changelog entries:
  * really fix der_chop. The fix from -1 was not really included (closes:
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
  * fix perl path in der_chop and c_rehash (closes: #281212)
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
  * SECURITY UPDATE: fix insecure temporary file handling
  * apps/der_chop:
    - replaced $$-style creation of temporary files with
    - removed unused temporary file name in do_certificate()
  * References:
    CAN-2004-0975 (closes: #278260)
  * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
  * New upstream release with security fixes
    - Avoid a race condition when CRLs are checked in a multi threaded
    - Various fixes to s3_pkt.c so alerts are sent properly.
    - Reduce the chances of duplicate issuer name and serial numbers (in
      violation of RFC3280) using the OpenSSL certificate creation
  * depends openssl on perl-base instead of perl (closes: #280225)
  * support powerpc64 in Configure (closes: #275224)
  * include cs translation (closes: #273517)
  * include nl translation (closes: #272479)
  * Fix default dir of c_rehash (closes: #253126)
  * Make S/MIME encrypt work again (backport from CVS) (closes: #241407,
  * add Catalan translation (closes: #248749)
  * add Spanish translation (closes: #254561)
  * include NMU fixes: see below
  * decrease optimisation level for debian-arm to work around gcc bug
    (closes: #253848) (thanks to Steve Langasek and Thom May)
  * Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank)
  * Add watchfile

e75c4ef... by Christoph Martin <email address hidden> on 2004-05-24

Import patches-unapplied version 0.9.7d-3 to ubuntu/warty

Imported using git-ubuntu import.