openssl (0.9.8o-1ubuntu4.4+lliurex2) UNRELEASED; urgency=low * NOT RELEASED YET -- Angel Berlanas Vicente Thu, 16 Feb 2012 14:45:07 +0100 openssl (0.9.8o-1ubuntu4.4+lliurex1) lucid; urgency=low * Uploaders Fixed * ToNemo -- Angel Berlanas Vicente Thu, 16 Feb 2012 14:28:28 +0100 openssl (0.9.8o-1ubuntu4.4) lucid; urgency=low [ Steve Beattie ] * SECURITY UPDATE: OCSP stapling vulnerability - debian/patched/openssl-CVE-2011-0014-secadv_20110208.patch: stricter parsing of ClientHello message in ssl/t1_lib.c - CVE-2011-0014 -- Angel Berlanas Vicente Thu, 16 Feb 2012 14:27:50 +0100 openssl (0.9.8o-1ubuntu4.3) maverick-security; urgency=low * SECURITY UPDATE: ciphersuite downgrade vulnerability - openssl-CVE-2010-4180-secadv_20101202-0.9.8.patch: disable workaround for Netscape cipher suite bug in ssl/s3_clnt.c and ssl/s3_srvr.c - CVE-2010-4180 -- Steve Beattie Thu, 02 Dec 2010 16:24:31 -0800 openssl (0.9.8o-1ubuntu4.2) maverick-security; urgency=low * SECURITY UPDATE: TLS race condition leading to a buffer overflow and possible code execution. (LP: #676243) - patches/debian/openssl-CVE-2010-3864-secadv_20101116-0.9.8.patch: stricter NULL/not-NULL checking in ssl/t1_lib.c - CVE-2010-3864 -- Steve Beattie Tue, 16 Nov 2010 10:07:49 -0800 openssl (0.9.8o-1ubuntu4.1) maverick-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution via crafted private key with an invalid prime. - debian/patches/CVE-2010-2939.patch: set bn_ctx to NULL after freeing it in ssl/s3_clnt.c. - CVE-2010-2939 -- Marc Deslauriers Wed, 06 Oct 2010 16:46:36 -0400 openssl (0.9.8o-1ubuntu4) maverick; urgency=low * Update AES-NI patch to openssl-0.9.8-aesni-modes-perlasm-win32-v4.patch from http://rt.openssl.org/Ticket/Display.html?id=2067, fixing segfault on engine initialisation (LP: #590639). -- Colin Watson Fri, 24 Sep 2010 12:20:49 +0100 openssl (0.9.8o-1ubuntu3) maverick; urgency=low * debian/patches/no-sslv2.patch: disable SSLv2 to match NSS and GnuTLS. The protocol is unsafe and extremely deprecated. (Debian bug 589706) -- Kees Cook Tue, 20 Jul 2010 08:24:13 -0700 openssl (0.9.8o-1ubuntu2) maverick; urgency=low * Don't build anymore for processors not supported anymore in maverick: - i486, i586 (on i386). - v8 (on sparc). -- Matthias Klose Mon, 19 Jul 2010 16:44:10 +0200 openssl (0.9.8o-1ubuntu1) maverick; urgency=low * Merge from debian unstable, remaining changes (LP: #581167): - debian/patches/Bsymbolic-functions.patch: Link using -Bsymbolic-functions - Ship documentation in openssl-doc, suggested by the package. - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Replace duplicate files in the doc directory with symlinks. - Move runtime libraries to /lib, for the benefit of wpasupplicant - Use host compiler when cross-building (patch from Neil Williams in Debian #465248). - Don't run 'make test' when cross-building. - Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339). - debian/patches/aesni.patch: Backport Intel AES-NI support from http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518). - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under .pc. * Dropped patches, now upstream: - debian/patches/CVE-2009-3245.patch - debian/patches/CVE-2010-0740.patch - debian/patches/dtls-compatibility.patch - debian/patches/CVE-2009-4355.patch * Dropped "Add support for lpia". * Dropped "Disable SSLv2 during compile" as this had never actually disabled SSLv2. * Don't disable CVE-2009-3555.patch for Maverick. -- Marc Deslauriers Mon, 14 Jun 2010 09:08:29 -0400 openssl (0.9.8o-1) unstable; urgency=low * New upstream version - Add SHA2 algorithms to SSL_library_init(). - aes-x86_64.pl is now PIC, update pic.patch. * Add sparc64 support (Closes: #560240) -- Kurt Roeckx Sun, 18 Apr 2010 01:42:44 +0200 openssl (0.9.8n-1) unstable; urgency=high * New upstream version. - Fixes CVE-2010-0740. - Drop cfb.patch, applied upstream. -- Kurt Roeckx Thu, 25 Mar 2010 20:30:52 +0100 openssl (0.9.8m-2) unstable; urgency=low * Revert CFB block length change preventing reading older files. (Closes: #571810, #571940) -- Kurt Roeckx Sun, 28 Feb 2010 22:08:49 +0100 openssl (0.9.8m-1) unstable; urgency=low * New upstream version - Implements RFC5746, reenables renegotiation but requires the extension. - Fixes CVE-2009-3245 - Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch, CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch, CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch, no_check_self_signed.patch: applied upstream - pk7_mime_free.patch removed, code rewritten - ca.diff partially applied upstream - engines-path.patch adjusted, upstream made some minor changes to the build system. - some flags changed values, bump shlibs. * Switch to 3.0 (quilt) source package. * Make sure the package is properly cleaned. * Add ${misc:Depends} to the Depends on all packages. * Fix spelling of extension in the changelog file. -- Kurt Roeckx Sat, 27 Feb 2010 12:24:03 +0000 openssl (0.9.8k-8) unstable; urgency=high * Clean up zlib state so that it will be reinitialized on next use and not cause a memory leak. (CVE-2009-4355, CVE-2008-1678) -- Kurt Roeckx Wed, 13 Jan 2010 21:26:49 +0100 openssl (0.9.8k-7ubuntu8) lucid; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via unchecked return values - debian/patches/CVE-2009-3245.patch: check bn_wexpand return value in crypto/bn/{bn_div.c,bn_gf2m.c,bn_mul.c}, crypto/ec/ec2_smpl.c, engines/e_ubsec.c. - CVE-2009-3245 * SECURITY UPDATE: denial of service via "record of death" - debian/patches/CVE-2010-0740.patch: only send back minor version number in ssl/s3_pkt.c. - CVE-2010-0740 -- Marc Deslauriers Tue, 30 Mar 2010 08:57:51 -0400 openssl (0.9.8k-7ubuntu7) lucid; urgency=low * debian/patches/dtls-compatibility.patch: backport dtls compatibility code from 0.9.8m to fix interopability. (LP: #516318) -- Marc Deslauriers Fri, 26 Mar 2010 08:31:09 -0400 openssl (0.9.8k-7ubuntu6) lucid; urgency=low * Backport Intel AES-NI support from http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518). * Don't change perl #! paths under .pc. -- Colin Watson Mon, 01 Feb 2010 15:40:27 -0800 openssl (0.9.8k-7ubuntu5) lucid; urgency=low * SECURITY UPDATE: memory leak possible during state clean-up. - Add CVE-2009-4355.patch, upstream fixes thanks to Debian. -- Kees Cook Fri, 22 Jan 2010 09:50:01 -0800 openssl (0.9.8k-7ubuntu4) lucid; urgency=low * Use host compiler when cross-building (patch from Neil Williams in Debian #465248). * Don't run 'make test' when cross-building. * Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339). -- Colin Watson Tue, 05 Jan 2010 16:09:38 +0000 openssl (0.9.8k-7ubuntu3) lucid; urgency=low * debian/patches/disable-sslv2.patch: remove and apply inline to fix FTBFS when patch won't revert during the build process. -- Marc Deslauriers Mon, 07 Dec 2009 21:00:47 -0500 openssl (0.9.8k-7ubuntu2) lucid; urgency=low * debian/patches/{disable-sslv2,Bsymbolic-functions}.patch: apply Makefile sections inline as once the package is configured during the build process, the patches wouldn't revert anymore, causing a FTBFS on anything other than amd64. -- Marc Deslauriers Mon, 07 Dec 2009 19:52:15 -0500 openssl (0.9.8k-7ubuntu1) lucid; urgency=low * Merge from debian unstable, remaining changes (LP: #493392): - Link using -Bsymbolic-functions - Add support for lpia - Disable SSLv2 during compile - Ship documentation in openssl-doc, suggested by the package. - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Replace duplicate files in the doc directory with symlinks. - Move runtime libraries to /lib, for the benefit of wpasupplicant * Strip the patches out of the source into quilt patches * Disable CVE-2009-3555.patch -- Nicolas Valcárcel Scerpella (Canonical) Sun, 06 Dec 2009 20:16:24 -0500 openssl (0.9.8k-7) unstable; urgency=low * Bump the shlibs to require 0.9.8k-1. The following symbols to added between g and k: AES_wrap_key, AES_unwrap_key, ASN1_TYPE_set1, ASN1_STRING_set0, asn1_output_data_fn, SMIME_read_ASN1, BN_X931_generate_Xpq, BN_X931_derive_prime_ex, BN_X931_generate_prime_ex, COMP_zlib_cleanup, CRYPTO_malloc_debug_init, int_CRYPTO_set_do_dynlock_callback, CRYPTO_set_mem_info_functions, CRYPTO_strdup, CRYPTO_dbg_push_info, CRYPTO_dbg_pop_info, CRYPTO_dbg_remove_all_info, OPENSSL_isservice, OPENSSL_init, ENGINE_set_load_ssl_client_cert_function, ENGINE_get_ssl_client_cert_function, ENGINE_load_ssl_client_cert, EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags, EVP_CIPHER_CTX_test_flags, HMAC_CTX_set_flags, OCSP_sendreq_new OCSP_sendreq_nbio, OCSP_REQ_CTX_free, RSA_X931_derive_ex, RSA_X931_generate_key_ex, X509_ALGOR_set0, X509_ALGOR_get0, X509at_get0_data_by_OBJ, X509_get1_ocsp -- Kurt Roeckx Sat, 28 Nov 2009 14:34:26 +0100 openssl (0.9.8k-6) unstable; urgency=low * Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829) -- Kurt Roeckx Thu, 12 Nov 2009 18:10:31 +0000 openssl (0.9.8k-5) unstable; urgency=low * Don't check self signed certificate signatures in X509_verify_cert() (Closes: #541735) -- Kurt Roeckx Fri, 11 Sep 2009 15:42:32 +0200 openssl (0.9.8k-4) unstable; urgency=low * Split all the patches into a separate files * Stop undefinging HZ, the issue on alpha should be fixed. * Remove MD2 from digest algorithm table. (CVE-2009-2409) (Closes: #539899) -- Kurt Roeckx Tue, 11 Aug 2009 21:19:18 +0200 openssl (0.9.8k-3) unstable; urgency=low * Make rc4-x86_64 PIC. Based on patch from Petr Salinger (Closes: #532336) * Add workaround for kfreebsd that can't see the different between two pipes. Patch from Petr Salinger. -- Kurt Roeckx Sat, 13 Jun 2009 18:15:46 +0200 openssl (0.9.8k-2) unstable; urgency=low * Move libssl0.9.8-dbg to the debug section. * Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336) * Split the line to generate md5-x86_64.s in the Makefile. This will hopefully fix the build issue on kfreebsd that now outputs the file to stdout instead of the file. * Fix denial of service via an out-of-sequence DTLS handshake message (CVE-2009-1387) (Closes: #532037) -- Kurt Roeckx Mon, 08 Jun 2009 19:05:56 +0200 openssl (0.9.8k-1) unstable; urgency=low * New upstream release - 0.9.8i fixed denial of service via a DTLS ChangeCipherSpec packet that occurs before ClientHello (CVE-2009-1386) * Make aes-x86_64.pl use PIC. * Fix security issues (Closes: #530400) - "DTLS record buffer limitation bug." (CVE-2009-1377) - "DTLS fragment handling" (CVE-2009-1378) - "DTLS use after free" (CVE-2009-1379) * Fixed Configure for hurd: use -mtune=i486 instead of -m486 Patch by Marc Dequènes (Duck) (Closes: #530459) * Add support for avr32 (Closes: #528648) -- Kurt Roeckx Sat, 16 May 2009 17:33:55 +0200 openssl (0.9.8g-16ubuntu3) karmic; urgency=low * SECURITY UPDATE: certificate spoofing via hash collisions from MD2 design flaws. - crypto/evp/c_alld.c, ssl/ssl_algs.c: disable MD2 digest. - crypto/x509/x509_vfy.c: skip signature check for self signed certificates - http://marc.info/?l=openssl-cvs&m=124508133203041&w=2 - http://marc.info/?l=openssl-cvs&m=124704528713852&w=2 - CVE-2009-2409 -- Marc Deslauriers Tue, 08 Sep 2009 14:59:05 -0400 openssl (0.9.8g-16ubuntu2) karmic; urgency=low * Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by Marc Deslauriers) * SECURITY UPDATE: denial of service via memory consumption from large number of future epoch DTLS records. - crypto/pqueue.*: add new pqueue_size counter function. - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100. - http://cvs.openssl.org/chngview?cn=18187 - CVE-2009-1377 * SECURITY UPDATE: denial of service via memory consumption from duplicate or invalid sequence numbers in DTLS records. - ssl/d1_both.c: discard message if it's a duplicate or too far in the future. - http://marc.info/?l=openssl-dev&m=124263491424212&w=2 - CVE-2009-1378 * SECURITY UPDATE: denial of service or other impact via use-after-free in dtls1_retrieve_buffered_fragment. - ssl/d1_both.c: use temp frag_len instead of freed frag. - http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest - CVE-2009-1379 * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet that occurs before ClientHello. - ssl/s3_pkt.c: abort if s->session is NULL. - ssl/{ssl.h,ssl_err.c}: add new error codes. - http://cvs.openssl.org/chngview?cn=17369 - CVE-2009-1386 * SECURITY UPDATE: denial of service via an out-of-sequence DTLS handshake message. - ssl/d1_both.c: don't buffer fragments with no data. - http://cvs.openssl.org/chngview?cn=17958 - CVE-2009-1387 -- Jamie Strandboge Fri, 10 Jul 2009 14:44:47 -0500 openssl (0.9.8g-16ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - Link using -Bsymbolic-functions - Add support for lpia - Disable SSLv2 during compile - Ship documentation in openssl-doc, suggested by the package. - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Replace duplicate files in the doc directory with symlinks. -- Jamie Strandboge Thu, 14 May 2009 14:11:05 -0500 openssl (0.9.8g-16) unstable; urgency=high * Properly validate the length of an encoded BMPString and UniversalString (CVE-2009-0590) (Closes: #522002) -- Kurt Roeckx Wed, 01 Apr 2009 22:04:53 +0200 openssl (0.9.8g-15ubuntu3) jaunty; urgency=low * SECURITY UPDATE: crash via invalid memory access when printing BMPString or UniversalString with invalid length - crypto/asn1/tasn_dec.c, crypto/asn1/asn1_err.c and crypto/asn1/asn1.h: return error if invalid length - CVE-2009-0590 - http://www.openssl.org/news/secadv_20090325.txt - patch from upstream CVS: crypto/asn1/asn1.h:1.128.2.11->1.128.2.12 crypto/asn1/asn1_err.c:1.54.2.4->1.54.2.5 crypto/asn1/tasn_dec.c:1.26.2.10->1.26.2.11 -- Jamie Strandboge Fri, 27 Mar 2009 08:23:35 -0500 openssl (0.9.8g-15ubuntu2) jaunty; urgency=low * Move runtime libraries to /lib, for the benefit of wpasupplicant (LP: #44194). Leave symlinks behind in /usr/lib (except on the Hurd) since we used to set an rpath there. -- Colin Watson Fri, 06 Mar 2009 12:48:52 +0000 openssl (0.9.8g-15ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: LP: #314984 - Link using -Bsymbolic-functions - Add support for lpia - Disable SSLv2 during compile - Ship documentation in openssl-doc, suggested by the package. - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Replace duplicate files in the doc directory with symlinks. -- Bhavani Shankar Thu, 08 Jan 2009 12:38:06 +0530 openssl (0.9.8g-15) unstable; urgency=low * Internal calls to didn't properly check for errors which resulted in malformed DSA and ECDSA signatures being treated as a good signature rather than as an error. (CVE-2008-5077) * ipv6_from_asc() could write 1 byte longer than the buffer in case the ipv6 address didn't have "::" part. (Closes: #506111) -- Kurt Roeckx Mon, 05 Jan 2009 21:14:31 +0100 openssl (0.9.8g-14ubuntu2) jaunty; urgency=low * SECURITY UPDATE: clients treat malformed signatures as good when verifying server DSA and ECDSA certificates - update apps/speed.c, apps/spkac.c, apps/verify.c, apps/x509.c, ssl/s2_clnt.c, ssl/s2_srvr.c, ssl/s3_clnt.c, s3_srvr.c, and ssl/ssltest.c to properly check the return code of EVP_VerifyFinal() - patch based on upstream patch for #2008-016 - CVE-2008-5077 -- Jamie Strandboge Tue, 06 Jan 2009 00:44:19 -0600 openssl (0.9.8g-14ubuntu1) jaunty; urgency=low * Merge from debian unstable, remaining changes: - Link using -Bsymbolic-functions - Add support for lpia - Disable SSLv2 during compile - Ship documentation in openssl-doc, suggested by the package. - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Replace duplicate files in the doc directory with symlinks. -- Scott James Remnant Tue, 11 Nov 2008 17:24:44 +0000 openssl (0.9.8g-14) unstable; urgency=low * Don't give the warning about security updates when upgrading from etch since it doesn't have any known security problems. * Automaticly use engines that succesfully initialised. Patch from the 0.9.8h upstream version. (Closes: #502177) -- Kurt Roeckx Fri, 31 Oct 2008 22:45:14 +0100 openssl (0.9.8g-13) unstable; urgency=low * Fix a problem with tlsext preventing firefox 3 from connection. Patch from upstream CVS and part of 0.9.8h. (Closes: #492758) -- Kurt Roeckx Sun, 03 Aug 2008 19:47:10 +0200 openssl (0.9.8g-12) unstable; urgency=low * add the changelog of the 10.1 NMU to make bugtracking happy -- Christoph Martin Tue, 22 Jul 2008 14:58:26 +0200 openssl (0.9.8g-11) unstable; urgency=low [ Christoph Martin ] * updated cs, gl, sv, ru, ro debconf translation (closes: #480926, #480967, #482465, #484324, #488595) * add Vcs-Svn header (closes: #481654) * fix debian-kfreebsd-i386 build flags (closes: #482275) * add stunnel4 to restart list (closes: #482111) * include fixes from 10.1 NMU by Security team - Fix double free in TLS server name extension which leads to a remote denial of service (CVE-2008-0891; Closes: #483379). - Fix denial of service if the 'Server Key exchange message' is omitted from a TLS handshake which could lead to a client crash (CVE-2008-1672; Closes: #483379). This only works if openssl is compiled with enable-tlsext which is done in Debian. * fix some lintian warnings * update to newest standards version -- Christoph Martin Thu, 17 Jul 2008 09:53:01 +0200 openssl (0.9.8g-10.1ubuntu2) intrepid; urgency=low * debian/rules: - disable SSLv2 during compile * debian/README.debian - add note about disabled SSLv2 in Ubuntu -- Ante Karamatic Thu, 24 Jul 2008 12:47:09 +0200 openssl (0.9.8g-10.1ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: - use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - display a system restart required notification bubble on libssl0.9.8 upgrade. - ship documentation in new openssl-doc package. - configure: add support for lpia. - replace duplicate files in the doc directory with symlinks. - link using -bsymbolic-functions. - update maintainer as per spec. -- Luke Yelavich Tue, 10 Jun 2008 11:50:07 +1000 openssl (0.9.8g-10.1) unstable; urgency=high * Non-maintainer upload by the Security team. * Fix denial of service if the 'Server Key exchange message' is omitted from a TLS handshake which could lead to a client crash (CVE-2008-1672; Closes: #483379). This only works if openssl is compiled with enable-tlsext which is done in Debian. * Fix double free in TLS server name extension which leads to a remote denial of service (CVE-2008-0891; Closes: #483379). -- Nico Golde Tue, 27 May 2008 11:13:44 +0200 openssl (0.9.8g-10ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Ship documentation in new openssl-doc package. - Configure: Add support for lpia. - Replace duplicate files in the doc directory with symlinks. - Link using -Bsymbolic-functions. - Update maintainer as per spec. -- Luke Yelavich Mon, 12 May 2008 22:49:33 +1000 openssl (0.9.8g-10) unstable; urgency=low * undefine HZ so that the code falls back to sysconf(_SC_CLK_TCK) to fix a build failure on alpha. -- Kurt Roeckx Thu, 08 May 2008 17:56:13 +0000 openssl (0.9.8g-9) unstable; urgency=high [ Christoph Martin ] * Include updated debconf translations (closes: #473477, #461597, #461880, #462011, #465517, #475439) [ Kurt Roeckx ] * ssleay_rand_add() really needs to call MD_Update() for buf. -- Kurt Roeckx Wed, 07 May 2008 20:32:12 +0200 openssl (0.9.8g-8ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: - Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Display a system restart required notification bubble on libssl0.9.8 upgrade. - Ship documentation in new openssl-doc package. - Configure: Add support for lpia. - Replace duplicate files in the doc directory with symlinks. - Link using -Bsymbolic-functions. - Update maintainer as per spec. -- Luke Yelavich Mon, 12 May 2008 10:09:20 +1000 openssl (0.9.8g-8) unstable; urgency=high * Don't add extensions to ssl v3 connections. It breaks with some other software. (Closes: #471681) -- Kurt Roeckx Sun, 23 Mar 2008 17:50:04 +0000 openssl (0.9.8g-7) unstable; urgency=low * Upload to unstable. -- Kurt Roeckx Wed, 13 Feb 2008 22:22:29 +0000 openssl (0.9.8g-6) experimental; urgency=low * Bump shlibs. -- Kurt Roeckx Sat, 09 Feb 2008 15:42:22 +0100 openssl (0.9.8g-5) experimental; urgency=low * Enable tlsext. This changes the ABI, but should hopefully not cause any problems. (Closes: #462596) -- Kurt Roeckx Sat, 09 Feb 2008 13:32:49 +0100 openssl (0.9.8g-4ubuntu3) hardy; urgency=low * Use a different priority for libssl0.9.8/restart-services depending on whether a desktop, or server dist-upgrade is being performed. (LP: #91814) * Display a system restart required notification bubble on libssl0.9.8 upgrade. -- Luke Yelavich Tue, 22 Apr 2008 10:50:53 +1000 openssl (0.9.8g-4ubuntu2) hardy; urgency=low * Ship documentation in new openssl-doc package, since it is very large and not terribly useful for the casual desktop user. -- Martin Pitt Tue, 11 Mar 2008 22:52:28 +0100 openssl (0.9.8g-4ubuntu1) hardy; urgency=low * Merge from unstable; remaining changes: - Configure: Add support for lpia. - Replace duplicate files in the doc directory with symlinks. - Link using -Bsymbolic-functions. -- Matthias Klose Tue, 29 Jan 2008 14:32:12 +0100 openssl (0.9.8g-4) unstable; urgency=low * Fix aes ige test speed not to overwrite it's buffer and cause segfauls. Thanks to Tim Hudson (Closes: #459619) * Mark some strings in the templates as non translatable. Patch from Christian Perrier (Closes: #450418) * Update Dutch debconf translation (Closes: #451290) * Update French debconf translation (Closes: #451375) * Update Catalan debconf translation (Closes: #452694) * Update Basque debconf translation (Closes: #457285) * Update Finnish debconf translation (Closes: #458261) -- Kurt Roeckx Wed, 16 Jan 2008 21:49:43 +0100 openssl (0.9.8g-3ubuntu1) hardy; urgency=low * Merge with Debian; remaining changes: - Configure: Add support for lpia. - Replace duplicate files in the doc directory with symlinks. -- Matthias Klose Wed, 05 Dec 2007 00:13:39 +0100 openssl (0.9.8g-3) unstable; urgency=low * aes-586.pl: push %ebx on the stack before we put some things on the stack and call a function, giving AES_decrypt() wrong values to work with. (Closes: #449200) -- Kurt Roeckx Sun, 04 Nov 2007 21:49:00 +0100 openssl (0.9.8g-2) unstable; urgency=low * Avoid text relocations on i386 caused by the assembler versions: - x86unix.pl: Create a function_begin_B_static to create a static/local assembler function. - aes-586.pl: Use the function_begin_B_static for _x86_AES_decrypt so that it doesn't get exported and doesn't have any (text) relocations. - aes-586.pl: Set up ebx to point to the GOT and call AES_set_encrypt_key via the PLT to avoid a relocation. - x86unix.pl: Call the init function via the PLT, avoiding a relocation in case of a PIC object. - cbc.pl: Call functions via the PLT. - desboth.pl: Call DES_encrypt2 via the PLT. * CA.sh should use the v3_ca extension when called with -newca (Closes: #428051) * Use -Wa,--noexecstack for all arches in Debian. (Closes: #430583) * Convert the failure message when services fail restart to a debconf message. * To restart a service, just restart, instead of stop and start. Hopefully fixes #444946 * Also remove igetest from the test dir in the clean target. (Closes: #424362) -- Kurt Roeckx Sat, 03 Nov 2007 13:25:45 +0100 openssl (0.9.8g-1) unstable; urgency=low * New upstream release - Fixes version number not to say it's a development version. -- Kurt Roeckx Sat, 20 Oct 2007 12:47:10 +0200 openssl (0.9.8f-1) unstable; urgency=low * New upstream release - Fixes DTLS issues, also fixes CVE-2007-4995 (Closes: #335703, #439737) - Proper inclusion of opensslconf.h in pq_compat.h (Closes: #408686) - New function SSL_set_SSL_CTX: bump shlibs. * Remove build dependency on gcc > 4.2 * Remove the openssl preinst, it looks like a workaround for a change in 0.9.2b where config files got moved. (Closes: #445095) * Update debconf translations: - Vietnamese (Closes: #426988) - Danish (Closes: #426774) - Slovak (Closes: #440723) - Finnish (Closes: #444258) -- Kurt Roeckx Sat, 13 Oct 2007 00:47:22 +0200 openssl (0.9.8e-9) unstable; urgency=high * CVE-2007-5135: Fix off by one error in SSL_get_shared_ciphers(). (Closes: #444435) * Add postgresql-8.2 to the list of services to check. -- Kurt Roeckx Fri, 28 Sep 2007 19:47:33 +0200 openssl (0.9.8e-8) unstable; urgency=low * Fix another case of the "if this code is reached, the program will abort" (Closes: #429740) * Temporary force to build with gcc >= 4.2 -- Kurt Roeckx Sun, 02 Sep 2007 18:12:11 +0200 openssl (0.9.8e-7) unstable; urgency=low * Fix problems with gcc-4.2 (Closes: #429740) * Stop using -Bsymbolic to create the shared library. * Make x86_64cpuid.pl use PIC. -- Kurt Roeckx Sun, 02 Sep 2007 16:15:18 +0200 openssl (0.9.8e-6) unstable; urgency=high * Add fix for CVE-2007-3108 (Closes: #438142) -- Kurt Roeckx Wed, 15 Aug 2007 19:49:54 +0200 openssl (0.9.8e-5ubuntu3) gutsy; urgency=low * Replace duplicate files in the doc directory with symlinks. -- Matthias Klose Thu, 04 Oct 2007 16:27:53 +0000 openssl (0.9.8e-5ubuntu2) gutsy; urgency=low [ Jamie Strandboge ] * SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in buffer overflow * ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to Stephan Hermann * References: CVE-2007-5135 http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded Fixes LP: #146269 * Modify Maintainer value to match the DebianMaintainerField specification. [ Kees Cook ] * SECURITY UPDATE: side-channel attacks via BN_from_montgomery function. * crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian. * References CVE-2007-3108 -- Kees Cook Fri, 28 Sep 2007 13:02:19 -0700 openssl (0.9.8e-5ubuntu1) gutsy; urgency=low * Configure: Add support for lpia. * Explicitely build using gcc-4.1 (PR other/31359). -- Matthias Klose Tue, 31 Jul 2007 12:47:38 +0000 openssl (0.9.8e-5) unstable; urgency=low [ Christian Perrier ] * Debconf templates proofread and slightly rewritten by the debian-l10n-english team as part of the Smith Review Project. Closes: #418584 * Debconf templates translations: - Arabic. Closes: #418669 - Russian. Closes: #418670 - Galician. Closes: #418671 - Swedish. Closes: #418679 - Korean. Closes: #418755 - Czech. Closes: #418768 - Basque. Closes: #418784 - German. Closes: #418785 - Traditional Chinese. Closes: #419915 - Brazilian Portuguese. Closes: #419959 - French. Closes: #420429 - Italian. Closes: #420461 - Japanese. Closes: #420482 - Catalan. Closes: #420833 - Dutch. Closes: #420925 - Malayalam. Closes: #420986 - Portuguese. Closes: #421032 - Romanian. Closes: #421708 [ Kurt Roeckx ] * Remove the Provides for the udeb. Patch from Frans Pop. (Closes: #419608) * Updated Spanish debconf template. (Closes: #421336) * Do the header changes, changing those defines into real functions, and bump the shlibs to match. * Update Japanese debconf translation. (Closes: #422270) -- Kurt Roeckx Tue, 15 May 2007 17:21:08 +0000 openssl (0.9.8e-4) unstable; urgency=low * openssl should depend on libssl0.9.8 0.9.8e-1 since it uses some of the defines that changed to functions. Other things build against libssl or libcrypto shouldn't have this problem since they use the old headers. (Closes: #414283) -- Kurt Roeckx Sat, 10 Mar 2007 17:11:46 +0000 openssl (0.9.8e-3) unstable; urgency=low * Add nagios-nrpe-server to the list of services to be checked (Closes: #391188) * EVP_CIPHER_CTX_key_length() should return the set key length in the EVP_CIPHER_CTX structure which may not be the same as the underlying cipher key length for variable length ciphers. From upstream CVS. (Closes: #412979) -- Kurt Roeckx Sun, 4 Mar 2007 23:22:51 +0000 openssl (0.9.8e-2) unstable; urgency=low * Undo include changes that change defines into real functions, but keep the new functions in the library. -- Kurt Roeckx Sun, 25 Feb 2007 19:19:19 +0000 openssl (0.9.8e-1) unstable; urgency=low * New upstream release - Inludes security fixes for CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343 (Closes: #408902) - s_client now properly works with SMTP. Also added support for IMAP. (closes: #221689) - Load padlock modules (Closes: #345656, #368476) * Add clamav-freshclam and clamav-daemon to the list of service that need to be restarted. (Closes: #391191) * Add armel support. Thanks to Guillem Jover for the patch. (Closes: #407196) * Add Portuguese translations. Thanks to Carlos Lisboa. (Closes: 408157) * Add Norwegian translations. Thanks to Bjørn Steensrud (Closes: #412326) -- Kurt Roeckx Sun, 25 Feb 2007 18:06:28 +0000 openssl (0.9.8c-4) unstable; urgency=low * Add German debconf translation. Thanks to Johannes Starosta (Closes: #388108) * Make c_rehash look for both .pem and .crt files. Also make it support files in DER format. Patch by "Yauheni Kaliuta" (Closes: #387089) * Use & instead of && to check a flag in the X509 policy checking. Patch from upstream cvs. (Closes: #397151) * Also restart slapd for security updates (Closes: #400221) * Add Romanian debconf translation. Thanks to stan ioan-eugen (Closes: #393507) -- Kurt Roeckx Thu, 30 Nov 2006 20:57:46 +0000 openssl (0.9.8c-3) unstable; urgency=low * Fix patch for CVE-2006-2940, it left ctx unintiliased. -- Kurt Roeckx Mon, 2 Oct 2006 18:05:00 +0200 openssl (0.9.8c-2) unstable; urgency=high * Fix security vulnerabilities (CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343). Urgency set to high. -- Kurt Roeckx Wed, 27 Sep 2006 21:24:55 +0000 openssl (0.9.8c-1) unstable; urgency=low * New upstream release - block padding bug with compression now fixed upstream, using their patch. - Includes the RSA Signature Forgery (CVE-2006-4339) patch. - New functions AES_bi_ige_encrypt and AES_ige_encrypt: bumping shlibs to require 0.9.8c-1. * Change the postinst script to check that ntp is installed instead of ntp-refclock and ntp-simple. The binary is now in the ntp package. * Move the modified rand/md_rand.c file to the right place, really fixing #363516. * Add partimage-server conserver-server and tor to the list of service to check for restart. Add workaround for openssh-server so it finds the init script. (Closes: #386365, #386400, #386513) * Add manpage for c_rehash. Thanks to James Westby (Closes: #215618) * Add Lithuanian debconf translation. Thanks to Gintautas Miliauskas (Closes: #374364) * Add m32r support. Thanks to Kazuhiro Inaoka (Closes: #378689) -- Kurt Roeckx Sun, 17 Sep 2006 14:47:59 +0000 openssl (0.9.8b-3) unstable; urgency=high * Fix RSA Signature Forgery (CVE-2006-4339) using patch provided by upstream. * Restart services using a smaller version that 0.9.8b-3, so they get the fixed version. * Change the postinst to check for postfix instead of postfix-tls. -- Kurt Roeckx Tue, 5 Sep 2006 18:26:10 +0000 openssl (0.9.8b-2) unstable; urgency=low * Don't call gcc with -mcpu on i386, we already use -march, so no need for -mtune either. * Always make all directories when building something: - The engines directory didn't get build for the static directory, so where missing in libcrypo.a - The apps directory didn't always get build, so we didn't have an openssl and a small part of the regression tests failed. * Make the package fail to build if the regression tests fail. -- Kurt Roeckx Mon, 15 May 2006 16:00:58 +0000 openssl (0.9.8b-1) unstable; urgency=low * New upstream release - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs. - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE instead of FALSE. - CA.pl/CA.sh creates crlnumber now. (Closes: #347612) * Run debconf-updatepo, which really already was in the 0.9.8a-8 version as it was uploaded. * Add Galician debconf translation. Patch from Jacobo Tarrio (Closes: #361266) * libssl0.9.8.postinst makes uses of bashisms (local variables) so use #!/bin/bash * libssl0.9.8.postinst: Call set -e after sourcing the debconf script. * libssl0.9.8.postinst: Change list of service that may need to be restarted: - Replace ssh by openssh-server - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1 - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql * libssl0.9.8.postinst: The check to see if something was installed wasn't working. * libssl0.9.8.postinst: Add workaround to find the name of the init script for proftpd and dovecot. * libssl0.9.8.postinst: Use invoke-rc.d when it's available. * Change Standards-Version to 3.7.0: - Make use of invoke-rc.d * Add comment to README.Debian that rc5, mdc2 and idea have been disabled (since 0.9.6b-3) (Closes: #362754) * Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516) * Put the FAQ in the openssl docs. * Add russian debconf translations from Yuriy Talakan (Closes #367216) -- Kurt Roeckx Thu, 4 May 2006 20:40:03 +0200 openssl (0.9.8a-8) unstable; urgency=low * Call pod2man with the proper section. Section changed from 1/3/5/7 to 1SSL/3SSL/5SSL/7SSL. The name of the files already had the ssl in, the section didn't. The references to other manpage is still wrong. * Don't install the LICENSE file, it's already in the copyright file. * Don't set an rpath on openssl to point to /usr/lib. * Add support for kfreebsd-amd64. (Closes: #355277) * Add udeb to the shlibs. Patch from Frans Pop (Closes: #356908) -- Kurt Roeckx Sat, 11 Feb 2006 14:14:37 +0100 openssl (0.9.8a-7) unstable; urgency=high * Add italian debconf templates. Thanks to Luca Monducci. (Closes: #350249) * Change the debconf question to use version 0.9.8-3 instead of 0.9.8-1, since that's the last version with a security fix. * Call conn_state() if the BIO is not in the BIO_CONN_S_OK state (Closes: #352047). RC bug affecting testing, so urgency high. -- Kurt Roeckx Sat, 9 Feb 2006 19:07:56 +0100 openssl (0.9.8a-6) unstable; urgency=low * Remove empty postinst/preinst/prerm scripts. There is no need to have empty ones, debhelper will add them when needed. * Remove the static pic libraries. Nobody should be linking it's shared libraries static to libssl or libcrypto. This was added for opensc who now links to it shared. * Do not assume that in case the sequence number is 0 and the packet has an odd number of bytes that the other side has the block padding bug, but try to check that it actually has the bug. The wrong detection of this bug resulted in an "decryption failed or bad record mac" error in case both sides were using zlib compression. (Closes: #338006) -- Kurt Roeckx Mon, 21 Jan 2006 16:25:41 +0100 openssl (0.9.8a-5) unstable; urgency=low * Stop ssh from crashing randomly on sparc (Closes: #335912) Patch from upstream cvs. -- Kurt Roeckx Tue, 13 Dec 2005 21:37:42 +0100 openssl (0.9.8a-4) unstable; urgency=low * Call dh_makeshlibs with the proper version instead of putting it in shlibs.local, which doesn't seem to do anything. 0.9.8a-1 added symbol versioning, so it should have bumped the shlibs. (Closes: #338284) * The openssl package had a duplicate dependency on libssl0.9.8, only require the version as required by the shlibs. * Make libssl-dev depend on zlib1g-dev, since it's now required for static linking. (Closes: #338313) * Generate .pc files that make use of Libs.private, so things only link to the libraries they should when linking shared. * Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486) * Make powerpc and ppc64 use the assembler version for bn. ppc64 had the location in the string wrong, powerpc had it missing. * Add includes for stddef to get size_t in md2.h, md4.h, md5.h, ripemd.h and sha.h. (Closes: #333101) * Run make test for each of the versions we build, make it not fail the build process if an error is found. * Add build dependency on bc for the regression tests. -- Kurt Roeckx Wed, 13 Nov 2005 16:01:05 +0100 openssl (0.9.8a-3) unstable; urgency=high * Link to libz instead of dynamicly loading it. It gets loaded at the moment the library is initialised, so there is no point in not linking to it. It's now failing in some cases since it's not opened by it's soname, but by the symlink to it. This should hopefully solve most of the bugs people have reported since the move to libssl0.9.8. (Closes: #334180, #336140, #335271) * Urgency set to high because it fixes a grave bug affecting testing. -- Kurt Roeckx Tue, 1 Nov 2005 14:56:40 +0100 openssl (0.9.8a-2) unstable; urgency=low * Add Build-Dependency on m4, since sparc needs it to generate it's assembler files. (Closes: #334542) * Don't use rc4-x86_64.o on amd64 for now, it seems to be broken and causes a segfault. (Closes: #334501, #334502) -- Kurt Roeckx Tue, 18 Oct 2005 19:05:53 +0200 openssl (0.9.8a-1) unstable; urgency=low Christoph Martin: * fix asm entries for some architectures, fixing #332758 properly. * add noexecstack option to i386 subarch * include symbol versioning in Configure (closes: #330867) * include debian-armeb arch (closes: #333579) * include new upstream patches; includes some minor fixes * fix dh_shlibdeps line, removing the redundant dependency on libssl0.9.8 (closes: #332755) * add swedish debconf template (closes: #330554) Kurt Roeckx: * Also add noexecstack option for amd64, since it now has an executable stack with the assembler fixes for amd64. -- Christoph Martin Mon, 17 Oct 2005 17:01:06 +0200 openssl (0.9.8-3) unstable; urgency=low * Apply security fix for CAN-2005-2969. (Closes: #333500) * Change priority of -dbg package to extra. -- Kurt Roeckx Wed, 12 Oct 2005 22:38:58 +0200 openssl (0.9.8-2) unstable; urgency=low * Don't use arch specific assembler. Should fix build failure on ia64, sparc and amd64. (Closes: #332758) * Add myself to the uploaders. -- Kurt Roeckx Mon, 10 Oct 2005 19:22:36 +0200 openssl (0.9.8-1) unstable; urgency=low * New upstream release (closes: #311826) -- Christoph Martin Thu, 29 Sep 2005 14:20:04 +0200 openssl (0.9.7g-3) unstable; urgency=low * change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386 (closes: #327692) * include -dbg version. That implies compiling with -g and without -fomit-frame-pointer (closes: #293823, #153811) -- Christoph Martin Fri, 23 Sep 2005 13:51:57 +0200 openssl (0.9.7g-2) unstable; urgency=low * really include nl translation * remove special ia64 code from rc4 code to make the abi compatible to older 0.9.7 versions (closes: #310489, #309274) * fix compile flag for debian-ppc64 (closes: #318750) * small fix in libssl0.9.7.postinst (closes: #239956) * fix pk7_mime.c to prevent garbled messages because of to early memory free (closes: #310184) * include vietnamese debconf translation (closes: #316689) * make optimized i386 libraries have non executable stack (closes: #321721) * remove leftover files from ssleay * move from dh_installmanpages to dh_installman * change Maintainer to pkg-openssl-devel@lists.alioth.debian.org -- Christoph Martin Wed, 7 Sep 2005 15:32:54 +0200 openssl (0.9.7g-1) unstable; urgency=low * New upstream release * Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, they must be explicitely allowed in run-time. See docs/HOWTO/proxy_certificates.txt for further information. * Prompt for pass phrases when appropriate for PKCS12 input format. * Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms. * Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. * Perform some character comparisons of different types in X509_NAME_cmp: this is needed for some certificates that reencode DNs into UTF8Strings (in violation of RFC3280) and can't or wont issue name rollover certificates. * corrected watchfile * added upstream source url (closes: #292904) * fix typo in CA.pl.1 (closes: #290271) * change debian-powerpc64 to debian-ppc64 and adapt the configure options to be the same like upstream (closes: #289841) * include -signcert option in CA.pl usage * compile with zlib-dynamic to use system zlib (closes: #289872) -- Christoph Martin Mon, 9 May 2005 23:32:03 +0200 openssl (0.9.7e-3) unstable; urgency=high * really fix der_chop. The fix from -1 was not really included (closes: #281212) * still fixes security problem CAN-2004-0975 etc. - tempfile raise condition in der_chop - Avoid a race condition when CRLs are checked in a multi threaded environment. -- Christoph Martin Thu, 16 Dec 2004 18:41:29 +0100 openssl (0.9.7e-2) unstable; urgency=high * fix perl path in der_chop and c_rehash (closes: #281212) * still fixes security problem CAN-2004-0975 etc. - tempfile raise condition in der_chop - Avoid a race condition when CRLs are checked in a multi threaded environment. -- Christoph Martin Sun, 14 Nov 2004 20:16:21 +0100 openssl (0.9.7e-1) unstable; urgency=high * SECURITY UPDATE: fix insecure temporary file handling * apps/der_chop: - replaced $$-style creation of temporary files with File::Temp::tempfile() - removed unused temporary file name in do_certificate() * References: CAN-2004-0975 (closes: #278260) * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357) * New upstream release with security fixes - Avoid a race condition when CRLs are checked in a multi threaded environment. - Various fixes to s3_pkt.c so alerts are sent properly. - Reduce the chances of duplicate issuer name and serial numbers (in violation of RFC3280) using the OpenSSL certificate creation utilities. * depends openssl on perl-base instead of perl (closes: #280225) * support powerpc64 in Configure (closes: #275224) * include cs translation (closes: #273517) * include nl translation (closes: #272479) * Fix default dir of c_rehash (closes: #253126) -- Christoph Martin Fri, 12 Nov 2004 14:11:15 +0100 openssl (0.9.7d-5) unstable; urgency=low * Make S/MIME encrypt work again (backport from CVS) (closes: #241407, #241386) -- Christoph Martin Mon, 26 Jul 2004 17:22:42 +0200 openssl (0.9.7d-4) unstable; urgency=low * add Catalan translation (closes: #248749) * add Spanish translation (closes: #254561) * include NMU fixes: see below * decrease optimisation level for debian-arm to work around gcc bug (closes: #253848) (thanks to Steve Langasek and Thom May) * Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank) * Add watchfile -- Christoph Martin Wed, 14 Jul 2004 14:31:02 +0200 openssl (0.9.7d-3) unstable; urgency=low * rename -pic.a libraries to _pic.a (closes: #250016) -- Christoph Martin Mon, 24 May 2004 17:02:29 +0200 openssl (0.9.7d-2) unstable; urgency=low * include PIC libs (libcrypto-pic.a and libssl-pic.a) to libssl-dev (closes: #246928, #243999) * add racoon to restart list (closes: #242652) * add Brazilian, Japanese and Danish translations (closes: #242087, #241830, #241705) -- Christoph Martin Tue, 11 May 2004 10:13:49 +0200 openssl (0.9.7d-1) unstable; urgency=high * new upstream * fixes security holes (http://www.openssl.org/news/secadv_20040317.txt) (closes: #238661) * includes support for debian-amd64 (closes: #235551, #232310) * fix typo in pem.pod (closes: #219873) * fix typo in libssl0.9.7.templates (closes: #224690) * openssl suggests ca-certificates (closes: #217180) * change debconf template to gettext format (closes: #219013) * include french debconf template (closes: #219014) -- Christoph Martin Thu, 18 Mar 2004 16:18:43 +0100 openssl (0.9.7c-5) unstable; urgency=low * include openssl.pc into libssl-dev (closes: #212545) -- Christoph Martin Thu, 16 Oct 2003 16:31:32 +0200 openssl (0.9.7c-4) unstable; urgency=low * change question to restart services to debconf (closes: #214840) * stop using dh_undocumented (closes: #214831) -- Christoph Martin Fri, 10 Oct 2003 15:40:48 +0200 openssl (0.9.7c-3) unstable; urgency=low * fix POSIX conformance for head in libssl0.9.7.postinst (closes: #214700) -- Christoph Martin Wed, 8 Oct 2003 14:02:38 +0200 openssl (0.9.7c-2) unstable; urgency=low * add filerc macro to libssl0.9.7.postinst (closes: #213906) * restart spamassassins spamd on upgrade (closes: #214106) * restart more services on upgrade * fix EVP_BytesToKey manpage (closes: #213715) -- Christoph Martin Tue, 7 Oct 2003 15:01:32 +0200 openssl (0.9.7c-1) unstable; urgency=high * upstream security fix (closes: #213451) - Fix various bugs revealed by running the NISCC test suite: Stop out of bounds reads in the ASN1 code when presented with invalid tags (CAN-2003-0543 and CAN-2003-0544). Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. - In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. * more minor upstream bugfixes * fix formatting in c_issuer (closes: #190026) * fix Debian-FreeBSD support (closes: #200381) * restart some services in postinst to make them use the new libraries * remove duplicated openssl.1, crypto.3 and ssl.3 (closes: #198594) -- Christoph Martin Wed, 1 Oct 2003 08:54:27 +0200 openssl (0.9.7b-2) unstable; urgency=high * fix permission of /etc/ssl/private to 700 again * change section of libssl-dev to libdevel -- Christoph Martin Wed, 23 Apr 2003 11:13:24 +0200 openssl (0.9.7b-1) unstable; urgency=high * upstream security fix - Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). (CAN-2003-0131) (closes: #189087) - Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. (CAN-2003-0147) - Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast). for more details see the CHANGES file -- Christoph Martin Wed, 16 Apr 2003 10:32:57 +0200 openssl (0.9.7a-1) unstable; urgency=high * upstream Security fix - In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) for more details see the CHANGES file -- Christoph Martin Fri, 21 Feb 2003 22:39:40 +0100 openssl (0.9.7-4) unstable; urgency=low * use DH_COMPAT=3 to build * move i686 to i686/cmov to fix problems on Via C3. For that to work we have to depend on the newest libc6 on i386 (closes: #177891) * fix bug in ui_util.c (closes: #177615) * fix typo in md5.h (closes: #178112) -- Christoph Martin Fri, 24 Jan 2003 10:22:56 +0100 openssl (0.9.7-3) unstable; urgency=low * enable build of ultrasparc code on non ultrasparc machines (closes: #177024) -- Christoph Martin Fri, 17 Jan 2003 08:22:13 +0100 openssl (0.9.7-2) unstable; urgency=low * include changes between 0.9.6g-9 and -10 * fix problem in build-process on i386 with libc6 version number -- Christoph Martin Mon, 13 Jan 2003 14:26:56 +0100 openssl (0.9.7-1) unstable; urgency=low * new upstream * includes engine support * a lot of bugfixes and enhancements, see the CHANGES file * include AES encryption * makes preview of certificate configurable (closes: #176059) * fix x509 manpage (closes: #168070) * fix declaration of ERR_load_PEM_string in pem.h (closes: #141360) -- Christoph Martin Sat, 11 Jan 2003 09:12:16 +0100 openssl (0.9.6g-10) unstable; urgency=low * fix problem in build-process on i386 with libc6 version number (closes: #167096) -- Christoph Martin Mon, 4 Nov 2002 12:27:21 +0100 openssl (0.9.6g-9) unstable; urgency=low * fix typo in i386 libc6 depend (sigh) (closes: #163848) -- Christoph Martin Tue, 8 Oct 2002 23:29:20 +0200 openssl (0.9.6g-8) unstable; urgency=low * fix libc6 depends. Only needed for i386 (closes: #163701) * remove SHLIB section for bsds from Configure (closes: #163585) -- Christoph Martin Tue, 8 Oct 2002 10:57:35 +0200 openssl (0.9.6g-7) unstable; urgency=low * enable i686 optimisation and depend on fixed glibc (closes: #163500) * remove transition package ssleay * include optimisation vor sparcv8 (closes: #139996) * improve optimisation vor sparcv9 -- Christoph Martin Sun, 6 Oct 2002 14:07:12 +0200 openssl (0.9.6g-6) unstable; urgency=low * temporarily disable i686 optimisation (See bug in glibc #161788) -- Christoph Martin Sat, 21 Sep 2002 18:56:49 +0200 openssl (0.9.6g-5) unstable; urgency=low * i486 can use i586 assembler * include set -xe in the for loops in the rules files to make it abort on error (closes: #161768) -- Christoph Martin Sat, 21 Sep 2002 16:23:11 +0200 openssl (0.9.6g-4) unstable; urgency=low * fix optimization for alpha and sparc * add optimization for i486 -- Christoph Martin Fri, 20 Sep 2002 22:36:19 +0200 openssl (0.9.6g-3) unstable; urgency=low * add optimized libraries for i586, i686, ev4, ev5 and v9 (closes: #139783) -- Christoph Martin Thu, 19 Sep 2002 18:33:04 +0200 openssl (0.9.6g-2) unstable; urgency=low * fix manpage names (closes: #156717, #156718, #156719, #156721) -- Christoph Martin Thu, 15 Aug 2002 11:26:37 +0200 openssl (0.9.6g-1) unstable; urgency=low * new upstream version * Use proper error handling instead of 'assertions' in buffer overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). (closes: #155985, #156495) * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX and get fix the header length calculation. * include support for new sh* architectures (closes: #155117) -- Christoph Martin Wed, 14 Aug 2002 13:59:22 +0200 openssl (0.9.6e-1) unstable; urgency=high * fixes remote exploits (see DSA-136-1) -- Christoph Martin Tue, 30 Jul 2002 18:32:28 +0200 openssl (0.9.6d-1) unstable; urgency=low * new upstream (minor) version * includes Configure lines for debian-*bsd-* (closes: #130413) * fix wrong prototype for BN_pseudo_rand_range in BN_rand(3ssl) (closes: #144586) * fix typos in package description (closes: #141469) * fix typo in SSL_CTX_set_cert_store manpage (closes: #135297) -- Christoph Martin Mon, 3 Jun 2002 19:42:10 +0200 openssl (0.9.6c-2) unstable; urgency=low * moved from non-US to main -- Christoph Martin Tue, 19 Mar 2002 14:48:39 +0100 openssl (0.9.6c-1) unstable; urgency=low * new upstream version with a lot of bugfixes * remove directory /usr/include/openssl from openssl package (closes: bug #121226) * remove selfdepends from libssl0.9.6 * link openssl binary shared again -- Christoph Martin Sat, 5 Jan 2002 19:04:31 +0100 openssl (0.9.6b-4) unstable; urgency=low * build with -D_REENTRANT for threads support on all architectures (closes: #112329, #119239) -- Christoph Martin Sat, 24 Nov 2001 12:17:51 +0100 openssl (0.9.6b-3) unstable; urgency=low * disable idea, mdc2 and rc5 because they are not free (closes: #65368) * ready to be moved from nonus to main -- Christoph Martin Wed, 21 Nov 2001 17:51:41 +0100 openssl (0.9.6b-2) unstable; urgency=high * fix definition of crypt in des.h (closes: #107533) * fix descriptions (closes: #109503) -- Christoph Martin Mon, 17 Sep 2001 15:38:27 +0200 openssl (0.9.6b-1) unstable; urgency=medium * new upstream fixes some security issues (closes: #105835, #100146) * added support for s390 (closes: #105681) * added support for sh (closes: #100003) * change priority of libssl096 to standard as ssh depends on it (closes: #105440) * don't optimize for i486 to support i386. (closes: #104127, #82194) -- Christoph Martin Fri, 20 Jul 2001 15:52:42 +0200 openssl (0.9.6a-3) unstable; urgency=medium * add perl-base to builddeps * include static libraries in libssl-dev (closes: #93688) -- Christoph Martin Mon, 14 May 2001 20:16:06 +0200 openssl (0.9.6a-2) unstable; urgency=medium * change Architecture of ssleay from any to all (closes: #92913) * depend libssl-dev on the exact same version of libssl0.9.6 (closes: #88939) * remove lib{crypto,ssl}.a from openssl (closes: #93666) * rebuild with newer gcc to fix atexit problem (closes: #94036) -- Christoph Martin Wed, 2 May 2001 12:28:39 +0200 openssl (0.9.6a-1) unstable; urgency=medium * new upstream, fixes some security bugs (closes: #90584) * fix typo in s_server manpage (closes: #89756) -- Christoph Martin Tue, 10 Apr 2001 12:13:11 +0200 openssl (0.9.6-2) unstable; urgency=low * policy: reorganisation of package names: libssl096 -> libssl0.9.6, libssl096-dev -> libssl-dev (closes: #83426) * libssl0.9.6 drops replaces libssl09 (Closes: #83425) * install upstream CHANGES files (Closes: #83430) * added support for hppa and ia64 (Closes: #88790) * move man3 manpages to libssl-dev (Closes: #87546) * fix formating problem in rand_add(1) (Closes: #87547) * remove manpage duplicates (Closes: #87545, #74986) * make package descriptions clearer (Closes: #83518, #83444) * increase default emailAddress_max from 40 to 60 (Closes: #67238) * removed RSAREF warning (Closes: #84122) -- Christoph Martin Thu, 8 Mar 2001 14:24:00 +0100 openssl (0.9.6-1) unstable; urgency=low * New upstream version (Thanks to Enrique Zanardi ) (closes: #72388) * Add support for debian-hurd (closes: #76032) -- Christoph Martin Mon, 13 Nov 2000 22:30:46 +0100 openssl (0.9.5a-5) unstable; urgency=low * move manpages in standard directories with section ssl (closes: #72152, #69809) -- Christoph Martin Thu, 5 Oct 2000 19:56:20 +0200 openssl (0.9.5a-4) unstable; urgency=low * include edg_rand_bytes patch from and for apache-ssl -- Christoph Martin Sat, 23 Sep 2000 16:48:06 +0200 openssl (0.9.5a-3) unstable; urgency=low * fix call to dh_makeshlibs to create correct shlibs file and make dependend programs link correctly (closes: Bug#61658) * include a note in README.debian concerning the location of the subcommand manpages (closes: Bug#69809) -- Christoph Martin Sat, 16 Sep 2000 19:10:50 +0200 openssl (0.9.5a-2) unstable; urgency=low * try to fix the sharedlib problem. change soname of library (closes: Bug#4622, #66102, #66538, #66123) -- Christoph Martin Wed, 12 Jul 2000 03:26:30 +0200 openssl (0.9.5a-1) unstable; urgency=low * new upstream version (major changes see file NEWS) (closes: Bug#63976, #65239, #65358) * new library package libssl095a because of probably changed library interface (closes: Bug#46222) * added architecture mips and mipsel (closes: Bug#62437, #60366) * provide shlibs.local file in build to help build if libraries are not yet installed (closes: Bug#63984) -- Christoph Martin Sun, 11 Jun 2000 15:17:35 +0200 openssl (0.9.4-5) frozen unstable; urgency=medium * cleanup of move of doc directories to /usr/share/doc (closes: Bug#56430) * lintian issues (closes: Bug#49358) * move demos from openssl to libssl09-dev (closes: Bug#59201) * move to debhelpers -- Christoph Martin Sat, 11 Mar 2000 10:38:04 +0100 openssl (0.9.4-4) unstable; urgency=medium * Added 'debian-arm' in 'Configure'. (closes: Bug#54251, #54766) * Fixed Configure for 'debian-m68k' (closes: Bug#53636) -- Christoph Martin Sat, 15 Jan 2000 13:16:18 +0100 openssl (0.9.4-3) unstable; urgency=low * define symbol SSLeay_add_ssl_algorithms for backward compatibility (closes: Bug#46882) * remove manpages from /usr/doc/openssl (closes: Bug#46791) -- Christoph Martin Thu, 14 Oct 1999 16:51:08 +0200 openssl (0.9.4-2) unstable; urgency=low * include some more docu in pod format (Bug #43933) * removed -mv8 from sparc flags (Bug #44769) -- Christoph Martin Tue, 14 Sep 1999 22:04:06 +0200 openssl (0.9.4-1) unstable; urgency=low * new upstream version (Closes: #42926) -- Christoph Martin Sat, 28 Aug 1999 17:04:23 +0200 openssl (0.9.3a-1) unstable; urgency=low * new upstream version (Bug #38345, #38627) * sparc is big-endian (Bug #39973) -- Christoph Martin Wed, 7 Jul 1999 16:03:37 +0200 openssl (0.9.2b-3) unstable; urgency=low * correct move conffiles to /etc/ssl (Bug #38570) -- Christoph Martin Mon, 31 May 1999 21:08:07 +0200 openssl (0.9.2b-2) unstable; urgency=low * added convenience package ssleay to help upgrade to openssl (Bug #37185, #37623, #36326) * added some missing dependencies from libssl09 (Bug #36681, #35867, #36326) * move lib*.so to libssl09-dev (Bug #36761) * corrected version numbers of library files * introduce link from /usr/lib/ssl to /etc/ssl (Bug #36710) -- Christoph Martin Sun, 23 May 1999 14:57:48 +0200 openssl (0.9.2b-1) unstable; urgency=medium * First openssl version -- Christoph Martin Wed, 31 Mar 1999 15:54:26 +0200 ssleay (0.9.0b-2) unstable; urgency=low * Include message about the (not)usage of RSAREF (#24409) * Move configfiles from /usr/lib/ssl to /etc/ssl (#26406) * Change definitions for sparc (#26487) * Added missing dependency (#28591) * Make debian/libtool executable (#29708) * /etc/ssl/lib/ssleay.cnf is now a confile (#32624) -- Christoph Martin Sun, 21 Mar 1999 19:41:04 +0100 ssleay (0.9.0b-1) unstable; urgency=low * new upstream version (Bug #21227, #25971) * build shared libraries with -fPIC (Bug #20027) * support sparc architecture (Bug #28467) -- Christoph Martin Tue, 13 Oct 1998 10:20:13 +0200 ssleay (0.8.1-7) frozen unstable; urgency=high * security fix patch to 0.8.1b (bug #24022) -- Christoph Martin Mon, 6 Jul 1998 15:42:15 +0200 ssleay (0.8.1-6) frozen unstable; urgency=low * second try to fix bug #15235 (copyright was still missing) -- Christoph Martin Mon, 22 Jun 1998 08:56:27 +0200 ssleay (0.8.1-5) frozen unstable; urgency=high * changed /dev/random to /dev/urandom (Bug #23169, #17817) * copyright contains now the full licence (Bug #15235) * fixed bug #19410 (md5sums-lists-nonexisting-file) * added demos to /usr/doc (Bug #17372) * fixed type in package description (Bug #18969) * fixed bug in adding documentation (Bug #21463) * added patch for support of debian-powerpc (Bug #21579) -- Christoph Martin Thu, 18 Jun 1998 23:09:13 +0200 ssleay (0.8.1-4) unstable; urgency=low * purged dependency from libc5 -- Christoph Martin Tue, 11 Nov 1997 15:31:50 +0100 ssleay (0.8.1-3) unstable; urgency=low * changed packagename libssl to libssl08 to get better dependancies -- Christoph Martin Fri, 7 Nov 1997 14:23:17 +0100 ssleay (0.8.1-2) unstable; urgency=low * linked shared libraries against libc6 * use /dev/random for randomseed -- Christoph Martin Wed, 5 Nov 1997 11:21:40 +0100 ssleay (0.8.1-1) unstable; urgency=low * new upstream version -- Christoph Martin Thu, 16 Oct 1997 16:15:43 +0200 ssleay (0.6.6-2) unstable; urgency=low * cleanup in diffs * removed INSTALL from docs (bug #13205) * split libssl and libssl-dev (but #13735) -- Christoph Martin Wed, 15 Oct 1997 17:38:38 +0200 ssleay (0.6.6-1) unstable; urgency=low * New upstream version * added shared libraries for libcrypto and libssl -- Christoph Martin Thu, 26 Jun 1997 19:26:14 +0200 ssleay (0.6.4-2) unstable; urgency=low * changed doc filenames from .doc to .txt to be able to read them over with webbrowser -- Christoph Martin Tue, 25 Feb 1997 14:02:53 +0100 ssleay (0.6.4-1) unstable; urgency=low * Initial Release. -- Christoph Martin Fri, 22 Nov 1996 21:29:51 +0100