[Pkg-openssl-changes] r443 - in openssl/trunk/debian: . patches
Kurt Roeckx
kroeckx at alioth.debian.org
Sat Feb 27 10:50:20 UTC 2010
Author: kroeckx
Date: 2010-02-27 10:50:19 +0000 (Sat, 27 Feb 2010)
New Revision: 443
Removed:
openssl/trunk/debian/patches/CVE-2009-1377.patch
openssl/trunk/debian/patches/CVE-2009-1378.patch
openssl/trunk/debian/patches/CVE-2009-1379.patch
openssl/trunk/debian/patches/CVE-2009-1387.patch
openssl/trunk/debian/patches/CVE-2009-2409.patch
openssl/trunk/debian/patches/CVE-2009-3555.patch
openssl/trunk/debian/patches/CVE-2009-4355.patch
openssl/trunk/debian/patches/no_check_self_signed.patch
openssl/trunk/debian/patches/pk7_mime_free.patch
openssl/trunk/debian/patches/tls_ext_v3.patch
Modified:
openssl/trunk/debian/changelog
openssl/trunk/debian/patches/ca.patch
openssl/trunk/debian/patches/engines-path.patch
openssl/trunk/debian/patches/series
Log:
New upstream version
- Implements RFC5746, reenables renegotiation but requires the extention.
- Fixes CVE-2009-3245
- Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
no_check_self_signed.patch: applied upstream
- pk7_mime_free.patch removed, code rewritten
- ca.diff partially applied upstream
- engines-path.patch adjusted, upstream made some minor changes to the
build system.
Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/changelog 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,7 +1,23 @@
+openssl (0.9.8m-1) unstable; urgency=low
+
+ * New upstream version
+ - Implements RFC5746, reenables renegotiation but requires the extention.
+ - Fixes CVE-2009-3245
+ - Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
+ CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
+ CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
+ no_check_self_signed.patch: applied upstream
+ - pk7_mime_free.patch removed, code rewritten
+ - ca.diff partially applied upstream
+ - engines-path.patch adjusted, upstream made some minor changes to the
+ build system.
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sat, 27 Feb 2010 00:27:44 +0100
+
openssl (0.9.8k-8) unstable; urgency=high
* Clean up zlib state so that it will be reinitialized on next use and
- not cause a memory leak. (CVE-2009-4355)
+ not cause a memory leak. (CVE-2009-4355, CVE-2008-1678)
-- Kurt Roeckx <kurt at roeckx.be> Wed, 13 Jan 2010 21:26:49 +0100
Deleted: openssl/trunk/debian/patches/CVE-2009-1377.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1377.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1377.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,48 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_pkt.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_pkt.c 2008-10-13 08:43:06.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_pkt.c 2009-07-19 11:32:41.000000000 +0200
-@@ -167,6 +167,10 @@
- DTLS1_RECORD_DATA *rdata;
- pitem *item;
-
-+ /* Limit the size of the queue to prevent DOS attacks */
-+ if (pqueue_size(queue->q) >= 100)
-+ return 0;
-+
- rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- item = pitem_new(priority, rdata);
- if (rdata == NULL || item == NULL)
-Index: openssl-0.9.8k/crypto/pqueue/pqueue.c
-===================================================================
---- openssl-0.9.8k.orig/crypto/pqueue/pqueue.c 2005-06-28 14:53:33.000000000 +0200
-+++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-07-19 11:32:41.000000000 +0200
-@@ -234,3 +234,17 @@
-
- return ret;
- }
-+
-+int
-+pqueue_size(pqueue_s *pq)
-+{
-+ pitem *item = pq->items;
-+ int count = 0;
-+
-+ while(item != NULL)
-+ {
-+ count++;
-+ item = item->next;
-+ }
-+ return count;
-+}
-Index: openssl-0.9.8k/crypto/pqueue/pqueue.h
-===================================================================
---- openssl-0.9.8k.orig/crypto/pqueue/pqueue.h 2005-05-31 00:34:27.000000000 +0200
-+++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-07-19 11:32:41.000000000 +0200
-@@ -91,5 +91,6 @@
- pitem *pqueue_next(piterator *iter);
-
- void pqueue_print(pqueue pq);
-+int pqueue_size(pqueue pq);
-
- #endif /* ! HEADER_PQUEUE_H */
Deleted: openssl/trunk/debian/patches/CVE-2009-1378.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1378.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1378.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,22 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_both.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_both.c 2007-10-17 23:17:49.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_both.c 2009-07-19 11:37:44.000000000 +0200
-@@ -561,7 +561,16 @@
- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
- goto err;
-
-- if (msg_hdr->seq <= s->d1->handshake_read_seq)
-+ /* Try to find item in queue, to prevent duplicate entries */
-+ pq_64bit_init(&seq64);
-+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+ item = pqueue_find(s->d1->buffered_messages, seq64);
-+ pq_64bit_free(&seq64);
-+
-+ /* Discard the message if sequence number was already there, is
-+ * too far in the future or the fragment is already in the queue */
-+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
- {
- unsigned char devnull [256];
-
Deleted: openssl/trunk/debian/patches/CVE-2009-1379.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1379.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1379.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,20 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_both.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_both.c 2009-07-19 11:32:41.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_both.c 2009-07-19 11:37:42.000000000 +0200
-@@ -530,13 +530,14 @@
- frag->fragment,frag->msg_header.frag_len);
- }
-
-+ unsigned long frag_len = frag->msg_header.frag_len;
- dtls1_hm_fragment_free(frag);
- pitem_free(item);
-
- if (al==0)
- {
- *ok = 1;
-- return frag->msg_header.frag_len;
-+ return frag_len;
- }
-
- ssl3_send_alert(s,SSL3_AL_FATAL,al);
Deleted: openssl/trunk/debian/patches/CVE-2009-1387.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1387.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1387.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,51 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_both.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_both.c 2009-07-19 11:32:41.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_both.c 2009-07-19 11:32:41.000000000 +0200
-@@ -585,30 +585,31 @@
- }
- }
-
-- frag = dtls1_hm_fragment_new(frag_len);
-- if ( frag == NULL)
-- goto err;
-+ if (frag_len)
-+ {
-+ frag = dtls1_hm_fragment_new(frag_len);
-+ if ( frag == NULL)
-+ goto err;
-
-- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-
-- if (frag_len)
-- {
-- /* read the body of the fragment (header has already been read */
-+ /* read the body of the fragment (header has already been read) */
- i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
- frag->fragment,frag_len,0);
- if (i<=0 || (unsigned long)i!=frag_len)
- goto err;
-- }
-
-- pq_64bit_init(&seq64);
-- pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+ pq_64bit_init(&seq64);
-+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
-
-- item = pitem_new(seq64, frag);
-- pq_64bit_free(&seq64);
-- if ( item == NULL)
-- goto err;
-+ item = pitem_new(seq64, frag);
-+ pq_64bit_free(&seq64);
-+ if ( item == NULL)
-+ goto err;
-+
-+ pqueue_insert(s->d1->buffered_messages, item);
-+ }
-
-- pqueue_insert(s->d1->buffered_messages, item);
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
Deleted: openssl/trunk/debian/patches/CVE-2009-2409.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-2409.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-2409.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,33 +0,0 @@
-This is http://cvs.openssl.org/chngview?cn=18381
-Fixes CVE-2009-2409
-
-Index: openssl/crypto/evp/c_alld.c
-RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v
-rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null
---- c_alld.c 2005/04/30 21:51:40 1.7
-+++ c_alld.c 2009/07/08 08:33:26 1.7.2.1
-@@ -64,9 +64,6 @@
-
- void OpenSSL_add_all_digests(void)
- {
--#ifndef OPENSSL_NO_MD2
-- EVP_add_digest(EVP_md2());
--#endif
- #ifndef OPENSSL_NO_MD4
- EVP_add_digest(EVP_md4());
- #endif
-Index: openssl/ssl/ssl_algs.c
-RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v
-rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null
---- ssl_algs.c 2007/04/23 23:50:21 1.12.2.3
-+++ ssl_algs.c 2009/07/08 08:33:27 1.12.2.4
-@@ -92,9 +92,6 @@
- EVP_add_cipher(EVP_seed_cbc());
- #endif
-
--#ifndef OPENSSL_NO_MD2
-- EVP_add_digest(EVP_md2());
--#endif
- #ifndef OPENSSL_NO_MD5
- EVP_add_digest(EVP_md5());
- EVP_add_digest_alias(SN_md5,"ssl2-md5");
Deleted: openssl/trunk/debian/patches/CVE-2009-3555.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-3555.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-3555.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,118 +0,0 @@
-diff -ur openssl-0.9.8k/crypto/asn1/asn1_err.c openssl-0.9.8l/crypto/asn1/asn1_err.c
---- openssl-0.9.8k/crypto/asn1/asn1_err.c 2009-03-25 11:35:57.000000000 +0100
-+++ openssl-0.9.8l/crypto/asn1/asn1_err.c 2009-11-05 14:52:55.000000000 +0100
-@@ -132,6 +132,7 @@
- {ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"},
- {ERR_FUNC(ASN1_F_B64_READ_ASN1), "B64_READ_ASN1"},
- {ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_WRITE_ASN1"},
-+{ERR_FUNC(ASN1_F_BIO_NEW_NDEF), "BIO_NEW_NDEF"},
- {ERR_FUNC(ASN1_F_BITSTR_CB), "BITSTR_CB"},
- {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"},
- {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"},
-diff -ur openssl-0.9.8k/crypto/asn1/asn1.h openssl-0.9.8l/crypto/asn1/asn1.h
---- openssl-0.9.8k/crypto/asn1/asn1.h 2009-03-25 11:35:57.000000000 +0100
-+++ openssl-0.9.8l/crypto/asn1/asn1.h 2009-11-05 14:52:55.000000000 +0100
-@@ -1158,6 +1158,7 @@
- #define ASN1_F_ASN1_VERIFY 137
- #define ASN1_F_B64_READ_ASN1 208
- #define ASN1_F_B64_WRITE_ASN1 209
-+#define ASN1_F_BIO_NEW_NDEF 212
- #define ASN1_F_BITSTR_CB 180
- #define ASN1_F_BN_TO_ASN1_ENUMERATED 138
- #define ASN1_F_BN_TO_ASN1_INTEGER 139
-diff -ur openssl-0.9.8k/ssl/s3_lib.c openssl-0.9.8l/ssl/s3_lib.c
---- openssl-0.9.8k/ssl/s3_lib.c 2008-06-16 18:56:41.000000000 +0200
-+++ openssl-0.9.8l/ssl/s3_lib.c 2009-11-05 16:51:53.000000000 +0100
-@@ -2592,6 +2592,9 @@
- if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
- return(0);
-
-+ if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-+ return(0);
-+
- s->s3->renegotiate=1;
- return(1);
- }
-diff -ur openssl-0.9.8k/ssl/s3_pkt.c openssl-0.9.8l/ssl/s3_pkt.c
---- openssl-0.9.8k/ssl/s3_pkt.c 2008-10-10 12:41:32.000000000 +0200
-+++ openssl-0.9.8l/ssl/s3_pkt.c 2009-11-05 16:52:53.000000000 +0100
-@@ -985,6 +985,7 @@
-
- if (SSL_is_init_finished(s) &&
- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
-+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
- !s->s3->renegotiate)
- {
- ssl3_renegotiate(s);
-@@ -1117,7 +1118,8 @@
- if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
- {
- if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
-- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
-+ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
-+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
- {
- #if 0 /* worked only because C operator preferences are not as expected (and
- * because this is not really needed for clients except for detecting
-Only in openssl-0.9.8l/ssl: s3_pkt.c.~1.57.2.4.~
-diff -ur openssl-0.9.8k/ssl/s3_srvr.c openssl-0.9.8l/ssl/s3_srvr.c
---- openssl-0.9.8k/ssl/s3_srvr.c 2009-01-07 11:48:23.000000000 +0100
-+++ openssl-0.9.8l/ssl/s3_srvr.c 2009-11-05 16:52:11.000000000 +0100
-@@ -718,6 +718,14 @@
- #endif
- STACK_OF(SSL_CIPHER) *ciphers=NULL;
-
-+ if (s->new_session
-+ && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-+ {
-+ al=SSL_AD_HANDSHAKE_FAILURE;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-+ goto f_err;
-+ }
-+
- /* We do this so that we will respond with our native type.
- * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
- * This down switching should be handled by a different method.
-diff -ur openssl-0.9.8k/ssl/ssl3.h openssl-0.9.8l/ssl/ssl3.h
---- openssl-0.9.8k/ssl/ssl3.h 2007-10-12 02:00:30.000000000 +0200
-+++ openssl-0.9.8l/ssl/ssl3.h 2009-11-05 16:52:03.000000000 +0100
-@@ -326,10 +326,11 @@
- #define SSL3_CT_NUMBER 7
-
-
--#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
--#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
--#define SSL3_FLAGS_POP_BUFFER 0x0004
--#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
-+#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
-+#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
-+#define SSL3_FLAGS_POP_BUFFER 0x0004
-+#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
-+#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
-
- typedef struct ssl3_state_st
- {
-diff -ur openssl-0.9.8k/ssl/ssl_err.c openssl-0.9.8l/ssl/ssl_err.c
---- openssl-0.9.8k/ssl/ssl_err.c 2008-08-13 21:44:44.000000000 +0200
-+++ openssl-0.9.8l/ssl/ssl_err.c 2009-11-05 13:15:05.000000000 +0100
-@@ -384,6 +384,7 @@
- {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
- {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
- {ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
-+{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
- {ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
- {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
- {ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
-Only in openssl-0.9.8l/ssl: ssl_err.c.orig
-diff -ur openssl-0.9.8k/ssl/ssl.h openssl-0.9.8l/ssl/ssl.h
---- openssl-0.9.8k/ssl/ssl.h 2008-08-13 21:44:44.000000000 +0200
-+++ openssl-0.9.8l/ssl/ssl.h 2009-11-05 13:15:41.000000000 +0100
-@@ -1952,6 +1952,7 @@
- #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
- #define SSL_R_NO_PROTOCOLS_AVAILABLE 191
- #define SSL_R_NO_PUBLICKEY 192
-+#define SSL_R_NO_RENEGOTIATION 318
- #define SSL_R_NO_SHARED_CIPHER 193
- #define SSL_R_NO_VERIFY_CALLBACK 194
- #define SSL_R_NULL_SSL_CTX 195
-
Deleted: openssl/trunk/debian/patches/CVE-2009-4355.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-4355.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-4355.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,50 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Subject: memory consumption (DoS) vulnerability
-
-I've attached a patch which uses an alternative technique. The main problem is
-that the ex_data free function pointer is removed when
-CRYPTO_cleanup_all_ex_data() is called. If the compression structure is
-cleaned up directly this problem is avoided:
-
-Index: openssl-0.9.8k/crypto/comp/c_zlib.c
-===================================================================
---- openssl-0.9.8k.orig/crypto/comp/c_zlib.c 2010-01-13 20:35:47.000000000 +0000
-+++ openssl-0.9.8k/crypto/comp/c_zlib.c 2010-01-13 20:35:50.000000000 +0000
-@@ -136,15 +136,6 @@
-
- static int zlib_stateful_ex_idx = -1;
-
--static void zlib_stateful_free_ex_data(void *obj, void *item,
-- CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
-- {
-- struct zlib_state *state = (struct zlib_state *)item;
-- inflateEnd(&state->istream);
-- deflateEnd(&state->ostream);
-- OPENSSL_free(state);
-- }
--
- static int zlib_stateful_init(COMP_CTX *ctx)
- {
- int err;
-@@ -188,6 +179,12 @@
-
- static void zlib_stateful_finish(COMP_CTX *ctx)
- {
-+ struct zlib_state *state =
-+ (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
-+ zlib_stateful_ex_idx);
-+ inflateEnd(&state->istream);
-+ deflateEnd(&state->ostream);
-+ OPENSSL_free(state);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
- }
-
-@@ -402,7 +399,7 @@
- if (zlib_stateful_ex_idx == -1)
- zlib_stateful_ex_idx =
- CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
-- 0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
-+ 0,NULL,NULL,NULL,NULL);
- CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
- if (zlib_stateful_ex_idx == -1)
- goto err;
Modified: openssl/trunk/debian/patches/ca.patch
===================================================================
--- openssl/trunk/debian/patches/ca.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/ca.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,19 +1,7 @@
-Index: openssl-0.9.8k/apps/CA.sh
+Index: openssl-0.9.8m/apps/CA.pl.in
===================================================================
---- openssl-0.9.8k.orig/apps/CA.sh 2005-07-04 23:44:22.000000000 +0200
-+++ openssl-0.9.8k/apps/CA.sh 2009-07-19 11:32:41.000000000 +0200
-@@ -91,6 +91,7 @@
- -out ${CATOP}/$CAREQ
- $CA -out ${CATOP}/$CACERT $CADAYS -batch \
- -keyfile ${CATOP}/private/$CAKEY -selfsign \
-+ -extensions v3_ca \
- -infiles ${CATOP}/$CAREQ
- RET=$?
- fi
-Index: openssl-0.9.8k/apps/CA.pl.in
-===================================================================
---- openssl-0.9.8k.orig/apps/CA.pl.in 2006-04-28 02:28:51.000000000 +0200
-+++ openssl-0.9.8k/apps/CA.pl.in 2009-07-19 11:32:41.000000000 +0200
+--- openssl-0.9.8m.orig/apps/CA.pl.in 2006-04-28 00:28:51.000000000 +0000
++++ openssl-0.9.8m/apps/CA.pl.in 2010-02-27 00:36:51.000000000 +0000
@@ -65,6 +65,7 @@
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
Modified: openssl/trunk/debian/patches/engines-path.patch
===================================================================
--- openssl/trunk/debian/patches/engines-path.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/engines-path.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,47 +1,47 @@
-Index: openssl-0.9.8k/Configure
+Index: openssl-0.9.8m/Makefile.org
===================================================================
---- openssl-0.9.8k.orig/Configure 2009-07-19 11:32:41.000000000 +0200
-+++ openssl-0.9.8k/Configure 2009-07-19 11:37:18.000000000 +0200
-@@ -1687,7 +1687,7 @@
- if (/^#define\s+OPENSSLDIR/)
- { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
- elsif (/^#define\s+ENGINESDIR/)
-- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
-+ { print OUT "#define ENGINESDIR \"$prefix/lib/ssl/engines\"\n"; }
- elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
- { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
- if $export_var_as_fn;
-Index: openssl-0.9.8k/Makefile.org
-===================================================================
---- openssl-0.9.8k.orig/Makefile.org 2009-03-03 23:40:29.000000000 +0100
-+++ openssl-0.9.8k/Makefile.org 2009-07-19 11:37:33.000000000 +0200
-@@ -616,7 +616,7 @@
+--- openssl-0.9.8m.orig/Makefile.org 2010-01-27 16:06:36.000000000 +0000
++++ openssl-0.9.8m/Makefile.org 2010-02-27 00:43:04.000000000 +0000
+@@ -620,7 +620,7 @@
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib \
-- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
-+ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines \
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
+ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
++ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines \
+ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-Index: openssl-0.9.8k/engines/Makefile
+Index: openssl-0.9.8m/engines/Makefile
===================================================================
---- openssl-0.9.8k.orig/engines/Makefile 2008-09-17 19:11:07.000000000 +0200
-+++ openssl-0.9.8k/engines/Makefile 2009-07-19 11:32:41.000000000 +0200
-@@ -100,13 +100,13 @@
+--- openssl-0.9.8m.orig/engines/Makefile 2009-11-10 01:53:02.000000000 +0000
++++ openssl-0.9.8m/engines/Makefile 2010-02-27 00:45:03.000000000 +0000
+@@ -101,13 +101,13 @@
*DSO_DL*) sfx="sl";; \
*) sfx="bad";; \
esac; \
-- cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
-+ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new; \
+- cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new; \
++ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines/lib$$l.$$sfx.new; \
else \
sfx="so"; \
- cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
+ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new; \
fi; \
-- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
-- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx ); \
-+ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new; \
-+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx ); \
+- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new; \
+- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx ); \
++ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines/lib$$l.$$sfx.new; \
++ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx ); \
done; \
fi
+Index: openssl-0.9.8m/Configure
+===================================================================
+--- openssl-0.9.8m.orig/Configure 2010-02-27 00:40:42.000000000 +0000
++++ openssl-0.9.8m/Configure 2010-02-27 00:46:47.000000000 +0000
+@@ -1738,7 +1738,7 @@
+ # $foo is to become "$prefix/lib$multilib/engines";
+ # as Makefile.org and engines/Makefile are adapted for
+ # $multilib suffix.
+- my $foo = "$prefix/lib/engines";
++ my $foo = "$prefix/lib/ssl/engines";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
Deleted: openssl/trunk/debian/patches/no_check_self_signed.patch
===================================================================
--- openssl/trunk/debian/patches/no_check_self_signed.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/no_check_self_signed.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,39 +0,0 @@
-Description: Don't check self signed certificate signatures in
- X509_verify_cert(): it just wastes time without adding any security. As a
- useful side effect self signed root CAs with non-FIPS digests are now usable
- in FIPS mode. [Steve Henson]
-Origin: upstream, http://cvs.openssl.org/chngview?cn=18260
-Bug-Debian: http://bugs.debian.org/541735
-
-Index: openssl/crypto/x509/x509_vfy.c
-RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v
-rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null
---- x509_vfy.c 2008/07/13 14:33:15 1.77.2.8
-+++ x509_vfy.c 2009/06/15 14:52:38 1.77.2.9
-@@ -986,7 +986,11 @@
- while (n >= 0)
- {
- ctx->error_depth=n;
-- if (!xs->valid)
-+
-+ /* Skip signature check for self signed certificates. It
-+ * doesn't add any security and just wastes time.
-+ */
-+ if (!xs->valid && xs != xi)
- {
- if ((pkey=X509_get_pubkey(xi)) == NULL)
- {
-@@ -996,13 +1000,6 @@
- if (!ok) goto end;
- }
- else if (X509_verify(xs,pkey) <= 0)
-- /* XXX For the final trusted self-signed cert,
-- * this is a waste of time. That check should
-- * optional so that e.g. 'openssl x509' can be
-- * used to detect invalid self-signatures, but
-- * we don't verify again and again in SSL
-- * handshakes and the like once the cert has
-- * been declared trusted. */
- {
- ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
- ctx->current_cert=xs;
Deleted: openssl/trunk/debian/patches/pk7_mime_free.patch
===================================================================
--- openssl/trunk/debian/patches/pk7_mime_free.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/pk7_mime_free.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,20 +0,0 @@
-r21 | chrism | 2005-09-07 15:34:00 +0200 (Wed, 07 Sep 2005) | 3 lines
-
-fix pk7_mime.c to prevent garbled messages because of to early memory
- free (closes: #310184)
-
-Index: openssl-0.9.8k/crypto/pkcs7/pk7_mime.c
-===================================================================
---- openssl-0.9.8k.orig/crypto/pkcs7/pk7_mime.c 2008-11-05 19:36:48.000000000 +0100
-+++ openssl-0.9.8k/crypto/pkcs7/pk7_mime.c 2009-07-19 17:13:53.000000000 +0200
-@@ -335,9 +335,9 @@
-
- if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
- strcmp(hdr->value, "application/pkcs7-signature")) {
-- sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
- PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE);
- ERR_add_error_data(2, "type: ", hdr->value);
-+ sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
- sk_BIO_pop_free(parts, BIO_vfree);
- return NULL;
- }
Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/series 2010-02-27 10:50:19 UTC (rev 443)
@@ -17,13 +17,3 @@
shared-lib-ext.patch
stddef.patch
version-script.patch
-pk7_mime_free.patch
-tls_ext_v3.patch
-CVE-2009-1377.patch
-CVE-2009-1378.patch
-CVE-2009-1379.patch
-CVE-2009-1387.patch
-CVE-2009-2409.patch
-no_check_self_signed.patch
-CVE-2009-3555.patch
-CVE-2009-4355.patch
Deleted: openssl/trunk/debian/patches/tls_ext_v3.patch
===================================================================
--- openssl/trunk/debian/patches/tls_ext_v3.patch 2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/tls_ext_v3.patch 2010-02-27 10:50:19 UTC (rev 443)
@@ -1,31 +0,0 @@
-r290 | kroeckx | 2008-03-23 18:52:37 +0100 (Sun, 23 Mar 2008) | 3 lines
-
-Don't add extentions to ssl v3 connections. It breaks with some
-other software. (Closes: #471681, #471896)
-
-Index: openssl-0.9.8k/ssl/t1_lib.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/t1_lib.c 2008-09-04 00:13:04.000000000 +0200
-+++ openssl-0.9.8k/ssl/t1_lib.c 2009-07-19 17:15:14.000000000 +0200
-@@ -133,6 +133,10 @@
- int extdatalen=0;
- unsigned char *ret = p;
-
-+ /* don't add extensions for SSLv3 */
-+ if (s->client_version == SSL3_VERSION)
-+ return p;
-+
- ret+=2;
-
- if (ret>=limit) return NULL; /* this really never occurs, but ... */
-@@ -251,6 +255,10 @@
- int extdatalen=0;
- unsigned char *ret = p;
-
-+ /* don't add extensions for SSLv3 */
-+ if (s->version == SSL3_VERSION)
-+ return p;
-+
- ret+=2;
- if (ret>=limit) return NULL; /* this really never occurs, but ... */
-
More information about the Pkg-openssl-changes
mailing list