Last commit made on 2008-05-13
Get this branch:
git clone -b ubuntu/feisty-security https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

17fb35f... by Kees Cook on 2008-05-09

Import patches-unapplied version 0.9.8c-4ubuntu0.3 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: d968188925426e925e8c7078074ea6d9793adba2

New changelog entries:
  * SECURITY UPDATE: PRNG seeding was not fully operational.
  * crypto/rand/md_rand.c: restore upstream code.

d968188... by Kees Cook on 2007-10-19

Import patches-unapplied version 0.9.8c-4ubuntu0.2 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: 244e2a5bfe117bfea23cadbbec2b13616fcf4e54

New changelog entries:
  * SECURITY UPDATE: DTLS implementation can lead to remote code execution.
  * ssl/{ssl_err,d1_both}.c, ssl/{dtls1,ssl}.h: patched inline with upstream
    fixes backported thanks to Ludwig Nussel.
  * References

244e2a5... by Kees Cook on 2007-09-28

Import patches-unapplied version 0.9.8c-4ubuntu0.1 to ubuntu/feisty-security

Imported using git-ubuntu import.

Changelog parent: 2c9ef4abae7bfb1418c907ec43800c25ac00288a

New changelog entries:
  [ Jamie Strandboge ]
  * SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in
    buffer overflow
  * ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to
    Stephan Hermann
  * References:
    Fixes LP: #146269
  * Modify Maintainer value to match the DebianMaintainerField
  [ Kees Cook ]
  * SECURITY UPDATE: side-channel attacks via BN_from_montgomery function.
  * crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian.
  * References

2c9ef4a... by Matthias Klose on 2007-03-05

Import patches-unapplied version 0.9.8c-4build1 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: 20d2ab7db063d6a3a9d7ea109f67a2ebcd83c8ae

New changelog entries:
  * Rebuild for changes in the amd64 toolchain.

20d2ab7... by Kurt Roeckx on 2006-11-30

Import patches-unapplied version 0.9.8c-4 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: c1d2d17be519b41526d5f68261a06ded06fef958

New changelog entries:
  * Add German debconf translation. Thanks to
    Johannes Starosta <email address hidden> (Closes: #388108)
  * Make c_rehash look for both .pem and .crt files. Also make it support
    files in DER format. Patch by "Yauheni Kaliuta" <email address hidden>
    (Closes: #387089)
  * Use & instead of && to check a flag in the X509 policy checking.
    Patch from upstream cvs. (Closes: #397151)
  * Also restart slapd for security updates (Closes: #400221)
  * Add Romanian debconf translation. Thanks to
    stan ioan-eugen <email address hidden> (Closes: #393507)

c1d2d17... by Kurt Roeckx on 2006-10-02

Import patches-unapplied version 0.9.8c-3 to ubuntu/feisty

Imported using git-ubuntu import.

Changelog parent: 365a564ba4f195916b6830f8367ef4f892a770ec

New changelog entries:
  * Fix patch for CVE-2006-2940, it left ctx unintiliased.
  * Fix security vulnerabilities (CVE-2006-2937, CVE-2006-2940,
    CVE-2006-3738, CVE-2006-4343). Urgency set to high.
  * New upstream release
    - block padding bug with compression now fixed upstream, using
      their patch.
    - Includes the RSA Signature Forgery (CVE-2006-4339) patch.
    - New functions AES_bi_ige_encrypt and AES_ige_encrypt:
      bumping shlibs to require 0.9.8c-1.
  * Change the postinst script to check that ntp is installed instead
    of ntp-refclock and ntp-simple. The binary is now in the ntp
  * Move the modified rand/md_rand.c file to the right place,
    really fixing #363516.
  * Add partimage-server conserver-server and tor to the list of service
    to check for restart. Add workaround for openssh-server so it finds
    the init script. (Closes: #386365, #386400, #386513)
  * Add manpage for c_rehash.
    Thanks to James Westby <email address hidden> (Closes: #215618)
  * Add Lithuanian debconf translation.
    Thanks to Gintautas Miliauskas <email address hidden> (Closes: #374364)
  * Add m32r support.
    Thanks to Kazuhiro Inaoka <email address hidden>
    (Closes: #378689)
  * Fix RSA Signature Forgery (CVE-2006-4339) using patch provided
    by upstream.
  * Restart services using a smaller version that 0.9.8b-3, so
    they get the fixed version.
  * Change the postinst to check for postfix instead of postfix-tls.

365a564... by Kurt Roeckx on 2006-05-15

Import patches-unapplied version 0.9.8b-2 to ubuntu/edgy

Imported using git-ubuntu import.

Changelog parent: f66058c6720a830b88820a5aa97b08c417c851be

New changelog entries:
  * Don't call gcc with -mcpu on i386, we already use -march, so no need for
    -mtune either.
  * Always make all directories when building something:
    - The engines directory didn't get build for the static directory, so
      where missing in libcrypo.a
    - The apps directory didn't always get build, so we didn't have an openssl
      and a small part of the regression tests failed.
  * Make the package fail to build if the regression tests fail.
  * New upstream release
    - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs.
    - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE
      instead of FALSE.
    - CA.pl/CA.sh creates crlnumber now. (Closes: #347612)
  * Run debconf-updatepo, which really already was in the 0.9.8a-8 version
    as it was uploaded.
  * Add Galician debconf translation. Patch from
    Jacobo Tarrio <email address hidden> (Closes: #361266)
  * libssl0.9.8.postinst makes uses of bashisms (local variables)
    so use #!/bin/bash
  * libssl0.9.8.postinst: Call set -e after sourcing the debconf
  * libssl0.9.8.postinst: Change list of service that may need
    to be restarted:
    - Replace ssh by openssh-server
    - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1
    - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour
      fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql
  * libssl0.9.8.postinst: The check to see if something was installed
    wasn't working.
  * libssl0.9.8.postinst: Add workaround to find the name of the init
    script for proftpd and dovecot.
  * libssl0.9.8.postinst: Use invoke-rc.d when it's available.
  * Change Standards-Version to 3.7.0:
    - Make use of invoke-rc.d
  * Add comment to README.Debian that rc5, mdc2 and idea have been
    disabled (since 0.9.6b-3) (Closes: #362754)
  * Don't add uninitialised data to the random number generator. This stop
    valgrind from giving error messages in unrelated code.
    (Closes: #363516)
  * Put the FAQ in the openssl docs.
  * Add russian debconf translations from Yuriy Talakan <email address hidden>
    (Closes #367216)
  * Call pod2man with the proper section. Section changed
    from 1/3/5/7 to 1SSL/3SSL/5SSL/7SSL. The name of the files
    already had the ssl in, the section didn't. The references
    to other manpage is still wrong.
  * Don't install the LICENSE file, it's already in the copyright file.
  * Don't set an rpath on openssl to point to /usr/lib.
  * Add support for kfreebsd-amd64. (Closes: #355277)
  * Add udeb to the shlibs. Patch from Frans Pop <email address hidden>
    (Closes: #356908)
  * Add italian debconf templates. Thanks to Luca Monducci.
    (Closes: #350249)
  * Change the debconf question to use version 0.9.8-3
    instead of 0.9.8-1, since that's the last version
    with a security fix.
  * Call conn_state() if the BIO is not in the BIO_CONN_S_OK state
    (Closes: #352047). RC bug affecting testing, so urgency high.
  * Remove empty postinst/preinst/prerm scripts. There is no need
    to have empty ones, debhelper will add them when needed.
  * Remove the static pic libraries. Nobody should be linking
    it's shared libraries static to libssl or libcrypto.
    This was added for opensc who now links to it shared.
  * Do not assume that in case the sequence number is 0 and the
    packet has an odd number of bytes that the other side has
    the block padding bug, but try to check that it actually
    has the bug. The wrong detection of this bug resulted
    in an "decryption failed or bad record mac" error in case
    both sides were using zlib compression. (Closes: #338006)

f66058c... by Kurt Roeckx on 2005-12-13

Import patches-unapplied version 0.9.8a-5 to ubuntu/dapper

Imported using git-ubuntu import.

Changelog parent: 356487a868d6cbf990cddfd08c115d6d0c946072

New changelog entries:
  * Stop ssh from crashing randomly on sparc (Closes: #335912)
    Patch from upstream cvs.
  * Call dh_makeshlibs with the proper version instead of putting
    it in shlibs.local, which doesn't seem to do anything. 0.9.8a-1
    added symbol versioning, so it should have bumped the shlibs.
    (Closes: #338284)
  * The openssl package had a duplicate dependency on libssl0.9.8,
    only require the version as required by the shlibs.
  * Make libssl-dev depend on zlib1g-dev, since it's now required for
    static linking. (Closes: #338313)
  * Generate .pc files that make use of Libs.private, so things only
    link to the libraries they should when linking shared.
  * Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486)
  * Make powerpc and ppc64 use the assembler version for bn. ppc64
    had the location in the string wrong, powerpc had it missing.
  * Add includes for stddef to get size_t in md2.h, md4.h, md5.h,
    ripemd.h and sha.h. (Closes: #333101)
  * Run make test for each of the versions we build, make it
    not fail the build process if an error is found.
  * Add build dependency on bc for the regression tests.
  * Link to libz instead of dynamicly loading it. It gets loaded
    at the moment the library is initialised, so there is no point
    in not linking to it. It's now failing in some cases since
    it's not opened by it's soname, but by the symlink to it.
    This should hopefully solve most of the bugs people have reported
    since the move to libssl0.9.8.
    (Closes: #334180, #336140, #335271)
  * Urgency set to high because it fixes a grave bug affecting testing.
  * Add Build-Dependency on m4, since sparc needs it to generate
    it's assembler files. (Closes: #334542)
  * Don't use rc4-x86_64.o on amd64 for now, it seems to be broken
    and causes a segfault. (Closes: #334501, #334502)
  Christoph Martin:
  * fix asm entries for some architectures, fixing #332758 properly.
  * add noexecstack option to i386 subarch
  * include symbol versioning in Configure (closes: #330867)
  * include debian-armeb arch (closes: #333579)
  * include new upstream patches; includes some minor fixes
  * fix dh_shlibdeps line, removing the redundant dependency on
    libssl0.9.8 (closes: #332755)
  * add swedish debconf template (closes: #330554)
  Kurt Roeckx:
  * Also add noexecstack option for amd64, since it now has an
    executable stack with the assembler fixes for amd64.
  * Apply security fix for CAN-2005-2969. (Closes: #333500)
  * Change priority of -dbg package to extra.
  * Don't use arch specific assembler. Should fix build failure on
    ia64, sparc and amd64. (Closes: #332758)
  * Add myself to the uploaders.
  * New upstream release (closes: #311826)
  * change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386
    (closes: #327692)
  * include -dbg version. That implies compiling with -g and without
    -fomit-frame-pointer (closes: #293823, #153811)
  * really include nl translation
  * remove special ia64 code from rc4 code to make the abi compatible to
    older 0.9.7 versions (closes: #310489, #309274)
  * fix compile flag for debian-ppc64 (closes: #318750)
  * small fix in libssl0.9.7.postinst (closes: #239956)
  * fix pk7_mime.c to prevent garbled messages because of to early memory
    free (closes: #310184)
  * include vietnamese debconf translation (closes: #316689)
  * make optimized i386 libraries have non executable stack (closes:
  * remove leftover files from ssleay
  * move from dh_installmanpages to dh_installman
  * change Maintainer to <email address hidden>
  * New upstream release
    * Added support for proxy certificates according to RFC 3820.
      Because they may be a security thread to unaware applications,
      they must be explicitely allowed in run-time. See
      docs/HOWTO/proxy_certificates.txt for further information.
    * Prompt for pass phrases when appropriate for PKCS12 input format.
    * Back-port of selected performance improvements from development
      branch, as well as improved support for PowerPC platforms.
    * Add lots of checks for memory allocation failure, error codes to indicate
      failure and freeing up memory if a failure occurs.
    * Perform some character comparisons of different types in X509_NAME_cmp:
      this is needed for some certificates that reencode DNs into UTF8Strings
      (in violation of RFC3280) and can't or wont issue name rollover
  * corrected watchfile
  * added upstream source url (closes: #292904)
  * fix typo in CA.pl.1 (closes: #290271)
  * change debian-powerpc64 to debian-ppc64 and adapt the configure
    options to be the same like upstream (closes: #289841)
  * include -signcert option in CA.pl usage
  * compile with zlib-dynamic to use system zlib (closes: #289872)

356487a... by Christoph Martin <email address hidden> on 2004-12-16

Import patches-unapplied version 0.9.7e-3 to ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: e75c4ef37c48280805a3b468cdaecc1f13aba5d4

New changelog entries:
  * really fix der_chop. The fix from -1 was not really included (closes:
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
  * fix perl path in der_chop and c_rehash (closes: #281212)
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
  * SECURITY UPDATE: fix insecure temporary file handling
  * apps/der_chop:
    - replaced $$-style creation of temporary files with
    - removed unused temporary file name in do_certificate()
  * References:
    CAN-2004-0975 (closes: #278260)
  * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
  * New upstream release with security fixes
    - Avoid a race condition when CRLs are checked in a multi threaded
    - Various fixes to s3_pkt.c so alerts are sent properly.
    - Reduce the chances of duplicate issuer name and serial numbers (in
      violation of RFC3280) using the OpenSSL certificate creation
  * depends openssl on perl-base instead of perl (closes: #280225)
  * support powerpc64 in Configure (closes: #275224)
  * include cs translation (closes: #273517)
  * include nl translation (closes: #272479)
  * Fix default dir of c_rehash (closes: #253126)
  * Make S/MIME encrypt work again (backport from CVS) (closes: #241407,
  * add Catalan translation (closes: #248749)
  * add Spanish translation (closes: #254561)
  * include NMU fixes: see below
  * decrease optimisation level for debian-arm to work around gcc bug
    (closes: #253848) (thanks to Steve Langasek and Thom May)
  * Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank)
  * Add watchfile

e75c4ef... by Christoph Martin <email address hidden> on 2004-05-24

Import patches-unapplied version 0.9.7d-3 to ubuntu/warty

Imported using git-ubuntu import.