ubuntu/+source/openssl:ubuntu/saucy-devel

Last commit made on 2014-06-23
Get this branch:
git clone -b ubuntu/saucy-devel https://git.launchpad.net/ubuntu/+source/openssl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/saucy-devel
Repository:
lp:ubuntu/+source/openssl

Recent commits

7a97a8a... by Marc Deslauriers on 2014-06-20

Import patches-unapplied version 1.0.1e-3ubuntu1.6 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: 67e5239b6cf7200a9eff40427302a45b72be9ff9

New changelog entries:
  * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643)
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
      sending finished ssl/s3_clnt.c.

67e5239... by Marc Deslauriers on 2014-06-12

Import patches-unapplied version 1.0.1e-3ubuntu1.5 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: f68a97acc22d904dbb538ef749b0b186cf8be27a

New changelog entries:
  * SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297)
    - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
      tls_session_secret_cb for session resumption in ssl/s3_clnt.c.

f68a97a... by Marc Deslauriers on 2014-06-02

Import patches-unapplied version 1.0.1e-3ubuntu1.4 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: 52667b05a0d9f745e91393974262730c4f158c88

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
    - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
      fragments in ssl/d1_both.c.
    - CVE-2014-0195
  * SECURITY UPDATE: denial of service via DTLS recursion flaw
    - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without
      recursion in ssl/d1_both.c.
    - CVE-2014-0221
  * SECURITY UPDATE: MITM via change cipher spec
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
      when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
      ssl/ssl3.h.
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
      secrets in ssl/s3_pkt.c.
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
      ssl/s3_clnt.c.
    - CVE-2014-0224
  * SECURITY UPDATE: denial of service via ECDH null session cert
    - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
      before dereferencing it in ssl/s3_clnt.c.
    - CVE-2014-3470

52667b0... by Marc Deslauriers on 2014-05-02

Import patches-unapplied version 1.0.1e-3ubuntu1.3 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: f7ba11022ba11849994bce6c181a12983baf3318

New changelog entries:
  * SECURITY UPDATE: denial of service via use after free
    - debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before
      releasing buffers in ssl/s3_pkt.c.
    - CVE-2010-5298
  * SECURITY UPDATE: denial of service via null pointer dereference
    - debian/patches/CVE-2014-0198.patch: if buffer was released, get a new
      one in ssl/s3_pkt.c.
    - CVE-2014-0198

f7ba110... by Marc Deslauriers on 2014-04-07

Import patches-unapplied version 1.0.1e-3ubuntu1.2 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: 2df91e5ca84d01d511668cf6e29c4ec58a37f42f

New changelog entries:
  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

2df91e5... by Marc Deslauriers on 2014-01-08

Import patches-unapplied version 1.0.1e-3ubuntu1.1 to ubuntu/saucy-security

Imported using git-ubuntu import.

Changelog parent: 5070e5c3f6b4678e3ceccff8a2fe3cb2e90d0415

New changelog entries:
  * SECURITY UPDATE: denial of service via invalid TLS handshake
    - debian/patches/CVE-2013-4353.patch: handle no new cipher setup in
      ssl/s3_both.c.
    - CVE-2013-4353
  * SECURITY UPDATE: denial of service via incorrect data structure
    - debian/patches/CVE-2013-6449.patch: check for handshake digests in
      ssl/s3_both.c,ssl/s3_pkt.c,ssl/t1_enc.c, use proper version in
      ssl/s3_lib.c.
    - CVE-2013-6449
  * SECURITY UPDATE: denial of service via DTLS retransmission
    - debian/patches/CVE-2013-6450.patch: fix DTLS retransmission in
      crypto/evp/digest.c,ssl/d1_both.c,ssl/s3_pkt.c,ssl/s3_srvr.c,
      ssl/ssl_locl.h,ssl/t1_enc.c.
    - CVE-2013-6450
  * debian/patches/no_default_rdrand.patch: Don't use rdrand engine as
    default unless explicitly requested.

5070e5c... by Matthias Klose on 2013-07-15

Import patches-unapplied version 1.0.1e-3ubuntu1 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 8ce1bbd8473d512f65274dbd5fa5b0845fb8127e

New changelog entries:
  * Merge with Debian, remaining changes.
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification on libssl1.0.0
        upgrade on servers.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
      wpasupplicant.
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
      .pc.
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i586 (on i386)
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
    - Unapply patch c_rehash-multi and comment it out in the series as it
      breaks parsing of certificates with CRLF line endings and other cases
      (see Debian #642314 for discussion), it also changes the semantics of
      c_rehash directories by requiring applications to parse hash link
      targets as files containing potentially *multiple* certificates rather
      than exactly one.
    - debian/patches/tls12_workarounds.patch: Workaround large client hello
      issues when TLS 1.1 and lower is in use
    - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
    - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly
      code.
    - debian/patches/arm64-support: Add basic arm64 support (no assembler)
    - debian/rules: Enable optimized 64bit elliptic curve code contributed
      by Google.
  * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2
    in test suite since we disable it in the client.
  * Disable compression to avoid CRIME systemwide (CVE-2012-4929).
  * Dropped changes:
    - debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian.

8ce1bbd... by Kurt Roeckx on 2013-05-20

Import patches-unapplied version 1.0.1e-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 05b54a0cf8b6dcdcbc4727cf5a25c42dc1c94f3d

New changelog entries:
  * Move <openssl/opensslconf.h> to /usr/include/$(DEB_HOST_MULTIARCH), and
    mark libssl-dev Multi-Arch: same.
    Patch by Colin Watson <email address hidden> (Closes: #689093)
  * Add Polish translation (Closes: #658162)
  * Add Turkish translation (Closes: #660971)
  * Enable assembler for the arm targets, and remove armeb.
    Patch by Riku Voipio <email address hidden> (Closes: #676533)
  * Add support for x32 (Closes: #698406)
  * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)

05b54a0... by Kurt Roeckx on 2013-03-18

Import patches-unapplied version 1.0.1e-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e19510efe2346627266c179dc39dc63e98114a4b

New changelog entries:
  * Bump shlibs. It's needed for the udeb.
  * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
  * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
  * Fix problem with DTLS version check (Closes: #701826)
  * Fix segfault in SSL_get_certificate (Closes: #703031)

e19510e... by Kurt Roeckx on 2013-02-11

Import patches-unapplied version 1.0.1e-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 23d2b7c8d282b3bd60601b7c48cf594106d126ef

New changelog entries:
  * New upstream version (Closes: #699889)
    - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
    - Drop renegiotate_tls.patch, applied upstream
    - Export new CRYPTO_memcmp symbol, update symbol file
  * Add ssltest_no_sslv2.patch so that "make test" works.
  * Re-enable assembler versions on sparc. They shouldn't have
    been disabled for sparc v9. (Closes: #649841)