[Pkg-openssl-changes] r891 - in openssl/branches/jessie_backports/debian: . patches
Sebastian Andrzej Siewior
bigeasy at moszumanska.debian.org
Fri Jan 27 21:23:03 UTC 2017
Author: bigeasy
Date: 2017-01-27 21:23:03 +0000 (Fri, 27 Jan 2017)
New Revision: 891
Added:
openssl/branches/jessie_backports/debian/patches/Mark-3DES-and-RC4-ciphers-as-weak.patch
openssl/branches/jessie_backports/debian/patches/disable_freelist.patch
Modified:
openssl/branches/jessie_backports/debian/changelog
openssl/branches/jessie_backports/debian/patches/series
Log:
get ready for the jessie bpo release
Modified: openssl/branches/jessie_backports/debian/changelog
===================================================================
--- openssl/branches/jessie_backports/debian/changelog 2017-01-26 23:19:59 UTC (rev 890)
+++ openssl/branches/jessie_backports/debian/changelog 2017-01-27 21:23:03 UTC (rev 891)
@@ -1,11 +1,15 @@
-openssl (1.0.2k-1~bpo8+1) UNRELEASED; urgency=medium
+openssl (1.0.2k-1~bpo8+1) jessie-backports; urgency=medium
* New upstream release
- Fixes CVE-2017-3731
- Fixes CVE-2017-3732
- Fixes CVE-2016-7055
+ * Disable internal free list handling without breaking the ABI
+ (disable_freelist.patch).
+ * Mark RC4 and 3DES as weak which removes them from the SSL/TLS protocol
+ (Closes: #736687).
- -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc> Thu, 26 Jan 2017 21:55:11 +0100
+ -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc> Fri, 27 Jan 2017 22:22:13 +0100
openssl (1.0.2j-1~bpo8+1) jessie-backports; urgency=medium
Added: openssl/branches/jessie_backports/debian/patches/Mark-3DES-and-RC4-ciphers-as-weak.patch
===================================================================
--- openssl/branches/jessie_backports/debian/patches/Mark-3DES-and-RC4-ciphers-as-weak.patch (rev 0)
+++ openssl/branches/jessie_backports/debian/patches/Mark-3DES-and-RC4-ciphers-as-weak.patch 2017-01-27 21:23:03 UTC (rev 891)
@@ -0,0 +1,429 @@
+From e9f3a3d6d707c5f9b8d67f44f8d7283296935415 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Sun, 18 Dec 2016 15:37:52 +0100
+Subject: [PATCH] Mark 3DES and RC4 ciphers as weak
+
+This disables RC4 and 3DES in our build
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ ssl/s3_lib.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 58 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index 0385e039c8d4..cf785f994917 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -216,6 +216,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 04 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_RSA_RC4_128_MD5,
+@@ -230,8 +231,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher 05 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_RSA_RC4_128_SHA,
+@@ -246,7 +249,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
+-
++#endif
+ /* Cipher 06 */
+ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+@@ -320,6 +323,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 0A */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_RSA_DES_192_CBC3_SHA,
+@@ -334,6 +338,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* The DH ciphers */
+ /* Cipher 0B */
+@@ -373,6 +378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 0D */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
+@@ -387,6 +393,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher 0E */
+ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+@@ -425,6 +432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 10 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
+@@ -439,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* The Ephemeral DH ciphers */
+ /* Cipher 11 */
+@@ -478,6 +487,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 13 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
+@@ -492,6 +502,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher 14 */
+ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+@@ -530,6 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 16 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
+@@ -544,6 +556,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher 17 */
+ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+@@ -564,6 +577,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 18 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_ADH_RC4_128_MD5,
+@@ -578,6 +592,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher 19 */
+ #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+@@ -616,6 +631,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ #endif
+
+ /* Cipher 1B */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_ADH_DES_192_CBC_SHA,
+@@ -630,6 +646,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Fortezza ciphersuite from SSL 3.0 spec */
+ #if 0
+@@ -703,6 +720,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ # endif
+
+ /* Cipher 1F */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_192_CBC3_SHA,
+@@ -717,8 +735,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher 20 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_128_SHA,
+@@ -733,6 +753,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher 21 */
+ {
+@@ -769,6 +790,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ # endif
+
+ /* Cipher 23 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_192_CBC3_MD5,
+@@ -783,8 +805,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher 24 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_128_MD5,
+@@ -799,6 +823,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher 25 */
+ {
+@@ -1418,6 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ # endif
+
+ /* Cipher 66 */
++# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
+@@ -1433,6 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ },
+ #endif
++#endif
+
+ /* TLS v1.2 ciphersuites */
+ /* Cipher 67 */
+@@ -1703,6 +1730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+
+ #ifndef OPENSSL_NO_PSK
+ /* Cipher 8A */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_PSK_WITH_RC4_128_SHA,
+@@ -1717,8 +1745,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher 8B */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
+@@ -1733,6 +1763,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher 8C */
+ {
+@@ -2095,6 +2126,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ },
+
+ /* Cipher C002 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
+@@ -2109,8 +2141,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher C003 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
+@@ -2125,6 +2159,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C004 */
+ {
+@@ -2175,6 +2210,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ },
+
+ /* Cipher C007 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
+@@ -2189,8 +2225,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher C008 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+@@ -2205,6 +2243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C009 */
+ {
+@@ -2255,6 +2294,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ },
+
+ /* Cipher C00C */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
+@@ -2269,8 +2309,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher C00D */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
+@@ -2285,6 +2327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C00E */
+ {
+@@ -2335,6 +2378,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ },
+
+ /* Cipher C011 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
+@@ -2349,8 +2393,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher C012 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+@@ -2365,6 +2411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C013 */
+ {
+@@ -2415,6 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ },
+
+ /* Cipher C016 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
+@@ -2429,8 +2477,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 128,
+ 128,
+ },
++#endif
+
+ /* Cipher C017 */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
+@@ -2445,6 +2495,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C018 */
+ {
+@@ -2481,6 +2532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+
+ #ifndef OPENSSL_NO_SRP
+ /* Cipher C01A */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+@@ -2495,8 +2547,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C01B */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+@@ -2511,8 +2565,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C01C */
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+ {
+ 1,
+ TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
+@@ -2527,6 +2583,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ 112,
+ 168,
+ },
++#endif
+
+ /* Cipher C01D */
+ {
+--
+2.1.4
+
Added: openssl/branches/jessie_backports/debian/patches/disable_freelist.patch
===================================================================
--- openssl/branches/jessie_backports/debian/patches/disable_freelist.patch (rev 0)
+++ openssl/branches/jessie_backports/debian/patches/disable_freelist.patch 2017-01-27 21:23:03 UTC (rev 891)
@@ -0,0 +1,32 @@
+From: Kurt Roeckx <kurt at roeckx.be>
+Subject: Disable the freelist
+
+We don't define OPENSSL_NO_BUF_FREELISTS globally sinc it changes structures and
+would break the ABI. Instead we just do it in the .c files that try to do
+something with it.
+
+Index: openssl-1.0.2/ssl/s3_both.c
+===================================================================
+--- openssl-1.0.2.orig/ssl/s3_both.c
++++ openssl-1.0.2/ssl/s3_both.c
+@@ -573,6 +573,7 @@ int ssl_verify_alarm_type(long type)
+ return (al);
+ }
+
++#define OPENSSL_NO_BUF_FREELISTS
+ #ifndef OPENSSL_NO_BUF_FREELISTS
+ /*-
+ * On some platforms, malloc() performance is bad enough that you can't just
+Index: openssl-1.0.2/ssl/ssl_lib.c
+===================================================================
+--- openssl-1.0.2.orig/ssl/ssl_lib.c
++++ openssl-1.0.2/ssl/ssl_lib.c
+@@ -162,6 +162,8 @@
+
+ const char *SSL_version_str = OPENSSL_VERSION_TEXT;
+
++#define OPENSSL_NO_BUF_FREELISTS
++
+ SSL3_ENC_METHOD ssl3_undef_enc_method = {
+ /*
+ * evil casts, but these functions are only called if there's a library
Modified: openssl/branches/jessie_backports/debian/patches/series
===================================================================
--- openssl/branches/jessie_backports/debian/patches/series 2017-01-26 23:19:59 UTC (rev 890)
+++ openssl/branches/jessie_backports/debian/patches/series 2017-01-27 21:23:03 UTC (rev 891)
@@ -14,3 +14,5 @@
block_diginotar.patch
block_digicert_malaysia.patch
#padlock_conf.patch
+disable_freelist.patch
+Mark-3DES-and-RC4-ciphers-as-weak.patch
More information about the Pkg-openssl-changes
mailing list