[Pkg-openssl-changes] r443 - in openssl/trunk/debian: . patches

Kurt Roeckx kroeckx at alioth.debian.org
Sat Feb 27 10:50:20 UTC 2010


Author: kroeckx
Date: 2010-02-27 10:50:19 +0000 (Sat, 27 Feb 2010)
New Revision: 443

Removed:
   openssl/trunk/debian/patches/CVE-2009-1377.patch
   openssl/trunk/debian/patches/CVE-2009-1378.patch
   openssl/trunk/debian/patches/CVE-2009-1379.patch
   openssl/trunk/debian/patches/CVE-2009-1387.patch
   openssl/trunk/debian/patches/CVE-2009-2409.patch
   openssl/trunk/debian/patches/CVE-2009-3555.patch
   openssl/trunk/debian/patches/CVE-2009-4355.patch
   openssl/trunk/debian/patches/no_check_self_signed.patch
   openssl/trunk/debian/patches/pk7_mime_free.patch
   openssl/trunk/debian/patches/tls_ext_v3.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/ca.patch
   openssl/trunk/debian/patches/engines-path.patch
   openssl/trunk/debian/patches/series
Log:
New upstream version
- Implements RFC5746, reenables renegotiation but requires the extention.
- Fixes CVE-2009-3245
- Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
  CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
  CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
  no_check_self_signed.patch: applied upstream
- pk7_mime_free.patch removed, code rewritten
- ca.diff partially applied upstream
- engines-path.patch adjusted, upstream made some minor changes to the
  build system.


Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/changelog	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,7 +1,23 @@
+openssl (0.9.8m-1) unstable; urgency=low
+
+  * New upstream version
+    - Implements RFC5746, reenables renegotiation but requires the extention.
+    - Fixes CVE-2009-3245
+    - Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
+      CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
+      CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
+      no_check_self_signed.patch: applied upstream
+    - pk7_mime_free.patch removed, code rewritten
+    - ca.diff partially applied upstream
+    - engines-path.patch adjusted, upstream made some minor changes to the
+      build system.
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Sat, 27 Feb 2010 00:27:44 +0100
+
 openssl (0.9.8k-8) unstable; urgency=high
 
   * Clean up zlib state so that it will be reinitialized on next use and
-    not cause a memory leak.  (CVE-2009-4355)
+    not cause a memory leak.  (CVE-2009-4355, CVE-2008-1678)
 
  -- Kurt Roeckx <kurt at roeckx.be>  Wed, 13 Jan 2010 21:26:49 +0100
 

Deleted: openssl/trunk/debian/patches/CVE-2009-1377.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1377.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1377.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,48 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_pkt.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_pkt.c	2008-10-13 08:43:06.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_pkt.c	2009-07-19 11:32:41.000000000 +0200
-@@ -167,6 +167,10 @@
-     DTLS1_RECORD_DATA *rdata;
- 	pitem *item;
- 
-+	/* Limit the size of the queue to prevent DOS attacks */
-+	if (pqueue_size(queue->q) >= 100)
-+		return 0;
-+		
- 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- 	item = pitem_new(priority, rdata);
- 	if (rdata == NULL || item == NULL)
-Index: openssl-0.9.8k/crypto/pqueue/pqueue.c
-===================================================================
---- openssl-0.9.8k.orig/crypto/pqueue/pqueue.c	2005-06-28 14:53:33.000000000 +0200
-+++ openssl-0.9.8k/crypto/pqueue/pqueue.c	2009-07-19 11:32:41.000000000 +0200
-@@ -234,3 +234,17 @@
- 
- 	return ret;
- 	}
-+
-+int
-+pqueue_size(pqueue_s *pq)
-+{
-+	pitem *item = pq->items;
-+	int count = 0;
-+	
-+	while(item != NULL)
-+	{
-+		count++;
-+		item = item->next;
-+	}
-+	return count;
-+}
-Index: openssl-0.9.8k/crypto/pqueue/pqueue.h
-===================================================================
---- openssl-0.9.8k.orig/crypto/pqueue/pqueue.h	2005-05-31 00:34:27.000000000 +0200
-+++ openssl-0.9.8k/crypto/pqueue/pqueue.h	2009-07-19 11:32:41.000000000 +0200
-@@ -91,5 +91,6 @@
- pitem *pqueue_next(piterator *iter);
- 
- void   pqueue_print(pqueue pq);
-+int    pqueue_size(pqueue pq);
- 
- #endif /* ! HEADER_PQUEUE_H */

Deleted: openssl/trunk/debian/patches/CVE-2009-1378.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1378.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1378.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,22 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_both.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_both.c	2007-10-17 23:17:49.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_both.c	2009-07-19 11:37:44.000000000 +0200
-@@ -561,7 +561,16 @@
- 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
- 		goto err;
- 
--	if (msg_hdr->seq <= s->d1->handshake_read_seq)
-+	/* Try to find item in queue, to prevent duplicate entries */
-+	pq_64bit_init(&seq64);
-+	pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+	item = pqueue_find(s->d1->buffered_messages, seq64);
-+	pq_64bit_free(&seq64);
-+	
-+	/* Discard the message if sequence number was already there, is
-+	 * too far in the future or the fragment is already in the queue */
-+	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-+		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
- 		{
- 		unsigned char devnull [256];
- 

Deleted: openssl/trunk/debian/patches/CVE-2009-1379.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1379.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1379.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,20 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_both.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_both.c	2009-07-19 11:32:41.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_both.c	2009-07-19 11:37:42.000000000 +0200
-@@ -530,13 +530,14 @@
- 				frag->fragment,frag->msg_header.frag_len);
- 			}
- 
-+		unsigned long frag_len = frag->msg_header.frag_len;
- 		dtls1_hm_fragment_free(frag);
- 		pitem_free(item);
- 
- 		if (al==0)
- 			{
- 			*ok = 1;
--			return frag->msg_header.frag_len;
-+			return frag_len;
- 			}
- 
- 		ssl3_send_alert(s,SSL3_AL_FATAL,al);

Deleted: openssl/trunk/debian/patches/CVE-2009-1387.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-1387.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-1387.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,51 +0,0 @@
-Index: openssl-0.9.8k/ssl/d1_both.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/d1_both.c	2009-07-19 11:32:41.000000000 +0200
-+++ openssl-0.9.8k/ssl/d1_both.c	2009-07-19 11:32:41.000000000 +0200
-@@ -585,30 +585,31 @@
- 			}
- 		}
- 
--	frag = dtls1_hm_fragment_new(frag_len);
--	if ( frag == NULL)
--		goto err;
-+	if (frag_len)
-+	{
-+		frag = dtls1_hm_fragment_new(frag_len);
-+		if ( frag == NULL)
-+			goto err;
- 
--	memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-+		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
- 
--	if (frag_len)
--		{
--		/* read the body of the fragment (header has already been read */
-+		/* read the body of the fragment (header has already been read) */
- 		i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
- 			frag->fragment,frag_len,0);
- 		if (i<=0 || (unsigned long)i!=frag_len)
- 			goto err;
--		}
- 
--	pq_64bit_init(&seq64);
--	pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+		pq_64bit_init(&seq64);
-+		pq_64bit_assign_word(&seq64, msg_hdr->seq);
- 
--	item = pitem_new(seq64, frag);
--	pq_64bit_free(&seq64);
--	if ( item == NULL)
--		goto err;
-+		item = pitem_new(seq64, frag);
-+		pq_64bit_free(&seq64);
-+		if ( item == NULL)
-+			goto err;
-+
-+		pqueue_insert(s->d1->buffered_messages, item);
-+	}
- 
--	pqueue_insert(s->d1->buffered_messages, item);
- 	return DTLS1_HM_FRAGMENT_RETRY;
- 
- err:

Deleted: openssl/trunk/debian/patches/CVE-2009-2409.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-2409.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-2409.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,33 +0,0 @@
-This is http://cvs.openssl.org/chngview?cn=18381
-Fixes CVE-2009-2409
-
-Index: openssl/crypto/evp/c_alld.c
-RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v
-rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null
---- c_alld.c	2005/04/30 21:51:40	1.7
-+++ c_alld.c	2009/07/08 08:33:26	1.7.2.1
-@@ -64,9 +64,6 @@
- 
- void OpenSSL_add_all_digests(void)
- 	{
--#ifndef OPENSSL_NO_MD2
--	EVP_add_digest(EVP_md2());
--#endif
- #ifndef OPENSSL_NO_MD4
- 	EVP_add_digest(EVP_md4());
- #endif
-Index: openssl/ssl/ssl_algs.c
-RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v
-rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null
---- ssl_algs.c	2007/04/23 23:50:21	1.12.2.3
-+++ ssl_algs.c	2009/07/08 08:33:27	1.12.2.4
-@@ -92,9 +92,6 @@
- 	EVP_add_cipher(EVP_seed_cbc());
- #endif
- 
--#ifndef OPENSSL_NO_MD2
--	EVP_add_digest(EVP_md2());
--#endif
- #ifndef OPENSSL_NO_MD5
- 	EVP_add_digest(EVP_md5());
- 	EVP_add_digest_alias(SN_md5,"ssl2-md5");

Deleted: openssl/trunk/debian/patches/CVE-2009-3555.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-3555.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-3555.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,118 +0,0 @@
-diff -ur openssl-0.9.8k/crypto/asn1/asn1_err.c openssl-0.9.8l/crypto/asn1/asn1_err.c
---- openssl-0.9.8k/crypto/asn1/asn1_err.c	2009-03-25 11:35:57.000000000 +0100
-+++ openssl-0.9.8l/crypto/asn1/asn1_err.c	2009-11-05 14:52:55.000000000 +0100
-@@ -132,6 +132,7 @@
- {ERR_FUNC(ASN1_F_ASN1_VERIFY),	"ASN1_verify"},
- {ERR_FUNC(ASN1_F_B64_READ_ASN1),	"B64_READ_ASN1"},
- {ERR_FUNC(ASN1_F_B64_WRITE_ASN1),	"B64_WRITE_ASN1"},
-+{ERR_FUNC(ASN1_F_BIO_NEW_NDEF),	"BIO_NEW_NDEF"},
- {ERR_FUNC(ASN1_F_BITSTR_CB),	"BITSTR_CB"},
- {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),	"BN_to_ASN1_ENUMERATED"},
- {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER),	"BN_to_ASN1_INTEGER"},
-diff -ur openssl-0.9.8k/crypto/asn1/asn1.h openssl-0.9.8l/crypto/asn1/asn1.h
---- openssl-0.9.8k/crypto/asn1/asn1.h	2009-03-25 11:35:57.000000000 +0100
-+++ openssl-0.9.8l/crypto/asn1/asn1.h	2009-11-05 14:52:55.000000000 +0100
-@@ -1158,6 +1158,7 @@
- #define ASN1_F_ASN1_VERIFY				 137
- #define ASN1_F_B64_READ_ASN1				 208
- #define ASN1_F_B64_WRITE_ASN1				 209
-+#define ASN1_F_BIO_NEW_NDEF				 212
- #define ASN1_F_BITSTR_CB				 180
- #define ASN1_F_BN_TO_ASN1_ENUMERATED			 138
- #define ASN1_F_BN_TO_ASN1_INTEGER			 139
-diff -ur openssl-0.9.8k/ssl/s3_lib.c openssl-0.9.8l/ssl/s3_lib.c
---- openssl-0.9.8k/ssl/s3_lib.c	2008-06-16 18:56:41.000000000 +0200
-+++ openssl-0.9.8l/ssl/s3_lib.c	2009-11-05 16:51:53.000000000 +0100
-@@ -2592,6 +2592,9 @@
- 	if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
- 		return(0);
- 
-+	if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-+		return(0);
-+
- 	s->s3->renegotiate=1;
- 	return(1);
- 	}
-diff -ur openssl-0.9.8k/ssl/s3_pkt.c openssl-0.9.8l/ssl/s3_pkt.c
---- openssl-0.9.8k/ssl/s3_pkt.c	2008-10-10 12:41:32.000000000 +0200
-+++ openssl-0.9.8l/ssl/s3_pkt.c	2009-11-05 16:52:53.000000000 +0100
-@@ -985,6 +985,7 @@
- 
- 		if (SSL_is_init_finished(s) &&
- 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
-+			(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
- 			!s->s3->renegotiate)
- 			{
- 			ssl3_renegotiate(s);
-@@ -1117,7 +1118,8 @@
- 	if ((s->s3->handshake_fragment_len >= 4) &&	!s->in_handshake)
- 		{
- 		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
--			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
-+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
-+			(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
- 			{
- #if 0 /* worked only because C operator preferences are not as expected (and
-        * because this is not really needed for clients except for detecting
-Only in openssl-0.9.8l/ssl: s3_pkt.c.~1.57.2.4.~
-diff -ur openssl-0.9.8k/ssl/s3_srvr.c openssl-0.9.8l/ssl/s3_srvr.c
---- openssl-0.9.8k/ssl/s3_srvr.c	2009-01-07 11:48:23.000000000 +0100
-+++ openssl-0.9.8l/ssl/s3_srvr.c	2009-11-05 16:52:11.000000000 +0100
-@@ -718,6 +718,14 @@
- #endif
- 	STACK_OF(SSL_CIPHER) *ciphers=NULL;
- 
-+	if (s->new_session
-+	    && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-+		{
-+		al=SSL_AD_HANDSHAKE_FAILURE;
-+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-+		goto f_err;
-+		}
-+
- 	/* We do this so that we will respond with our native type.
- 	 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
- 	 * This down switching should be handled by a different method.
-diff -ur openssl-0.9.8k/ssl/ssl3.h openssl-0.9.8l/ssl/ssl3.h
---- openssl-0.9.8k/ssl/ssl3.h	2007-10-12 02:00:30.000000000 +0200
-+++ openssl-0.9.8l/ssl/ssl3.h	2009-11-05 16:52:03.000000000 +0100
-@@ -326,10 +326,11 @@
- #define SSL3_CT_NUMBER			7
- 
- 
--#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS	0x0001
--#define SSL3_FLAGS_DELAY_CLIENT_FINISHED	0x0002
--#define SSL3_FLAGS_POP_BUFFER			0x0004
--#define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
-+#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS		0x0001
-+#define SSL3_FLAGS_DELAY_CLIENT_FINISHED		0x0002
-+#define SSL3_FLAGS_POP_BUFFER				0x0004
-+#define TLS1_FLAGS_TLS_PADDING_BUG			0x0008
-+#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x0010
- 
- typedef struct ssl3_state_st
- 	{
-diff -ur openssl-0.9.8k/ssl/ssl_err.c openssl-0.9.8l/ssl/ssl_err.c
---- openssl-0.9.8k/ssl/ssl_err.c	2008-08-13 21:44:44.000000000 +0200
-+++ openssl-0.9.8l/ssl/ssl_err.c	2009-11-05 13:15:05.000000000 +0100
-@@ -384,6 +384,7 @@
- {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
- {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
- {ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},
-+{ERR_REASON(SSL_R_NO_RENEGOTIATION)      ,"no renegotiation"},
- {ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
- {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},
- {ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
-Only in openssl-0.9.8l/ssl: ssl_err.c.orig
-diff -ur openssl-0.9.8k/ssl/ssl.h openssl-0.9.8l/ssl/ssl.h
---- openssl-0.9.8k/ssl/ssl.h	2008-08-13 21:44:44.000000000 +0200
-+++ openssl-0.9.8l/ssl/ssl.h	2009-11-05 13:15:41.000000000 +0100
-@@ -1952,6 +1952,7 @@
- #define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190
- #define SSL_R_NO_PROTOCOLS_AVAILABLE			 191
- #define SSL_R_NO_PUBLICKEY				 192
-+#define SSL_R_NO_RENEGOTIATION				 318
- #define SSL_R_NO_SHARED_CIPHER				 193
- #define SSL_R_NO_VERIFY_CALLBACK			 194
- #define SSL_R_NULL_SSL_CTX				 195
-

Deleted: openssl/trunk/debian/patches/CVE-2009-4355.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-4355.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/CVE-2009-4355.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,50 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Subject: memory consumption (DoS) vulnerability
-
-I've attached a patch which uses an alternative technique. The main problem is
-that the ex_data free function pointer is removed when
-CRYPTO_cleanup_all_ex_data() is called. If the compression structure is
-cleaned up directly this problem is avoided:
-
-Index: openssl-0.9.8k/crypto/comp/c_zlib.c
-===================================================================
---- openssl-0.9.8k.orig/crypto/comp/c_zlib.c	2010-01-13 20:35:47.000000000 +0000
-+++ openssl-0.9.8k/crypto/comp/c_zlib.c	2010-01-13 20:35:50.000000000 +0000
-@@ -136,15 +136,6 @@
- 
- static int zlib_stateful_ex_idx = -1;
- 
--static void zlib_stateful_free_ex_data(void *obj, void *item,
--	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
--	{
--	struct zlib_state *state = (struct zlib_state *)item;
--	inflateEnd(&state->istream);
--	deflateEnd(&state->ostream);
--	OPENSSL_free(state);
--	}
--
- static int zlib_stateful_init(COMP_CTX *ctx)
- 	{
- 	int err;
-@@ -188,6 +179,12 @@
- 
- static void zlib_stateful_finish(COMP_CTX *ctx)
- 	{
-+	struct zlib_state *state =
-+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
-+			zlib_stateful_ex_idx);
-+	inflateEnd(&state->istream);
-+	deflateEnd(&state->ostream);
-+	OPENSSL_free(state);
- 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
- 	}
- 
-@@ -402,7 +399,7 @@
- 			if (zlib_stateful_ex_idx == -1)
- 				zlib_stateful_ex_idx =
- 					CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
--						0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
-+						0,NULL,NULL,NULL,NULL);
- 			CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
- 			if (zlib_stateful_ex_idx == -1)
- 				goto err;

Modified: openssl/trunk/debian/patches/ca.patch
===================================================================
--- openssl/trunk/debian/patches/ca.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/ca.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,19 +1,7 @@
-Index: openssl-0.9.8k/apps/CA.sh
+Index: openssl-0.9.8m/apps/CA.pl.in
 ===================================================================
---- openssl-0.9.8k.orig/apps/CA.sh	2005-07-04 23:44:22.000000000 +0200
-+++ openssl-0.9.8k/apps/CA.sh	2009-07-19 11:32:41.000000000 +0200
-@@ -91,6 +91,7 @@
- 			   -out ${CATOP}/$CAREQ
- 	    $CA -out ${CATOP}/$CACERT $CADAYS -batch \
- 			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
-+			   -extensions v3_ca \
- 			   -infiles ${CATOP}/$CAREQ 
- 	    RET=$?
- 	fi
-Index: openssl-0.9.8k/apps/CA.pl.in
-===================================================================
---- openssl-0.9.8k.orig/apps/CA.pl.in	2006-04-28 02:28:51.000000000 +0200
-+++ openssl-0.9.8k/apps/CA.pl.in	2009-07-19 11:32:41.000000000 +0200
+--- openssl-0.9.8m.orig/apps/CA.pl.in	2006-04-28 00:28:51.000000000 +0000
++++ openssl-0.9.8m/apps/CA.pl.in	2010-02-27 00:36:51.000000000 +0000
 @@ -65,6 +65,7 @@
  foreach (@ARGV) {
  	if ( /^(-\?|-h|-help)$/ ) {

Modified: openssl/trunk/debian/patches/engines-path.patch
===================================================================
--- openssl/trunk/debian/patches/engines-path.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/engines-path.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,47 +1,47 @@
-Index: openssl-0.9.8k/Configure
+Index: openssl-0.9.8m/Makefile.org
 ===================================================================
---- openssl-0.9.8k.orig/Configure	2009-07-19 11:32:41.000000000 +0200
-+++ openssl-0.9.8k/Configure	2009-07-19 11:37:18.000000000 +0200
-@@ -1687,7 +1687,7 @@
- 	if	(/^#define\s+OPENSSLDIR/)
- 		{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
- 	elsif	(/^#define\s+ENGINESDIR/)
--		{ print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
-+		{ print OUT "#define ENGINESDIR \"$prefix/lib/ssl/engines\"\n"; }
- 	elsif	(/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
- 		{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
- 			if $export_var_as_fn;
-Index: openssl-0.9.8k/Makefile.org
-===================================================================
---- openssl-0.9.8k.orig/Makefile.org	2009-03-03 23:40:29.000000000 +0100
-+++ openssl-0.9.8k/Makefile.org	2009-07-19 11:37:33.000000000 +0200
-@@ -616,7 +616,7 @@
+--- openssl-0.9.8m.orig/Makefile.org	2010-01-27 16:06:36.000000000 +0000
++++ openssl-0.9.8m/Makefile.org	2010-02-27 00:43:04.000000000 +0000
+@@ -620,7 +620,7 @@
  install_sw:
  	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
--		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
-+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
++		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines \
+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
  		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
  		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-Index: openssl-0.9.8k/engines/Makefile
+Index: openssl-0.9.8m/engines/Makefile
 ===================================================================
---- openssl-0.9.8k.orig/engines/Makefile	2008-09-17 19:11:07.000000000 +0200
-+++ openssl-0.9.8k/engines/Makefile	2009-07-19 11:32:41.000000000 +0200
-@@ -100,13 +100,13 @@
+--- openssl-0.9.8m.orig/engines/Makefile	2009-11-10 01:53:02.000000000 +0000
++++ openssl-0.9.8m/engines/Makefile	2010-02-27 00:45:03.000000000 +0000
+@@ -101,13 +101,13 @@
  				*DSO_DL*)	sfx="sl";;	\
  				*)		sfx="bad";;	\
  				esac; \
--				cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
-+				cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new; \
+-				cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new; \
++				cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines/lib$$l.$$sfx.new; \
  			  else \
  			  	sfx="so"; \
- 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
+ 				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new; \
  			  fi; \
--			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
--			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx ); \
-+			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new; \
-+			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx ); \
+-			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new; \
+-			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx ); \
++			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines/lib$$l.$$sfx.new; \
++			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/ssl/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/lib$$l.$$sfx ); \
  		done; \
  	fi
  
+Index: openssl-0.9.8m/Configure
+===================================================================
+--- openssl-0.9.8m.orig/Configure	2010-02-27 00:40:42.000000000 +0000
++++ openssl-0.9.8m/Configure	2010-02-27 00:46:47.000000000 +0000
+@@ -1738,7 +1738,7 @@
+ 		# $foo is to become "$prefix/lib$multilib/engines";
+ 		# as Makefile.org and engines/Makefile are adapted for
+ 		# $multilib suffix.
+-		my $foo = "$prefix/lib/engines";
++		my $foo = "$prefix/lib/ssl/engines";
+ 		$foo =~ s/\\/\\\\/g;
+ 		print OUT "#define ENGINESDIR \"$foo\"\n";
+ 		}

Deleted: openssl/trunk/debian/patches/no_check_self_signed.patch
===================================================================
--- openssl/trunk/debian/patches/no_check_self_signed.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/no_check_self_signed.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,39 +0,0 @@
-Description: Don't check self signed certificate signatures in
- X509_verify_cert(): it just wastes time without adding any security. As a
- useful side effect self signed root CAs with non-FIPS digests are now usable
- in FIPS mode. [Steve Henson]
-Origin: upstream, http://cvs.openssl.org/chngview?cn=18260
-Bug-Debian: http://bugs.debian.org/541735
-
-Index: openssl/crypto/x509/x509_vfy.c
-RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v
-rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null
---- x509_vfy.c	2008/07/13 14:33:15	1.77.2.8
-+++ x509_vfy.c	2009/06/15 14:52:38	1.77.2.9
-@@ -986,7 +986,11 @@
- 	while (n >= 0)
- 		{
- 		ctx->error_depth=n;
--		if (!xs->valid)
-+
-+		/* Skip signature check for self signed certificates. It
-+		 * doesn't add any security and just wastes time.
-+		 */
-+		if (!xs->valid && xs != xi)
- 			{
- 			if ((pkey=X509_get_pubkey(xi)) == NULL)
- 				{
-@@ -996,13 +1000,6 @@
- 				if (!ok) goto end;
- 				}
- 			else if (X509_verify(xs,pkey) <= 0)
--				/* XXX  For the final trusted self-signed cert,
--				 * this is a waste of time.  That check should
--				 * optional so that e.g. 'openssl x509' can be
--				 * used to detect invalid self-signatures, but
--				 * we don't verify again and again in SSL
--				 * handshakes and the like once the cert has
--				 * been declared trusted. */
- 				{
- 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
- 				ctx->current_cert=xs;

Deleted: openssl/trunk/debian/patches/pk7_mime_free.patch
===================================================================
--- openssl/trunk/debian/patches/pk7_mime_free.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/pk7_mime_free.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,20 +0,0 @@
-r21 | chrism | 2005-09-07 15:34:00 +0200 (Wed, 07 Sep 2005) | 3 lines
-
-fix pk7_mime.c to prevent garbled messages because of to early memory
-    free (closes: #310184)
-
-Index: openssl-0.9.8k/crypto/pkcs7/pk7_mime.c
-===================================================================
---- openssl-0.9.8k.orig/crypto/pkcs7/pk7_mime.c	2008-11-05 19:36:48.000000000 +0100
-+++ openssl-0.9.8k/crypto/pkcs7/pk7_mime.c	2009-07-19 17:13:53.000000000 +0200
-@@ -335,9 +335,9 @@
- 
- 		if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
- 			strcmp(hdr->value, "application/pkcs7-signature")) {
--			sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
- 			PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE);
- 			ERR_add_error_data(2, "type: ", hdr->value);
-+			sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
- 			sk_BIO_pop_free(parts, BIO_vfree);
- 			return NULL;
- 		}

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/series	2010-02-27 10:50:19 UTC (rev 443)
@@ -17,13 +17,3 @@
 shared-lib-ext.patch
 stddef.patch
 version-script.patch
-pk7_mime_free.patch
-tls_ext_v3.patch
-CVE-2009-1377.patch
-CVE-2009-1378.patch
-CVE-2009-1379.patch
-CVE-2009-1387.patch
-CVE-2009-2409.patch
-no_check_self_signed.patch
-CVE-2009-3555.patch
-CVE-2009-4355.patch

Deleted: openssl/trunk/debian/patches/tls_ext_v3.patch
===================================================================
--- openssl/trunk/debian/patches/tls_ext_v3.patch	2010-01-13 21:16:18 UTC (rev 442)
+++ openssl/trunk/debian/patches/tls_ext_v3.patch	2010-02-27 10:50:19 UTC (rev 443)
@@ -1,31 +0,0 @@
-r290 | kroeckx | 2008-03-23 18:52:37 +0100 (Sun, 23 Mar 2008) | 3 lines
-
-Don't add extentions to ssl v3 connections.  It breaks with some
-other software.  (Closes: #471681, #471896)
-
-Index: openssl-0.9.8k/ssl/t1_lib.c
-===================================================================
---- openssl-0.9.8k.orig/ssl/t1_lib.c	2008-09-04 00:13:04.000000000 +0200
-+++ openssl-0.9.8k/ssl/t1_lib.c	2009-07-19 17:15:14.000000000 +0200
-@@ -133,6 +133,10 @@
- 	int extdatalen=0;
- 	unsigned char *ret = p;
- 
-+	/* don't add extensions for SSLv3 */
-+	if (s->client_version == SSL3_VERSION)
-+		return p;
-+
- 	ret+=2;
- 
- 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
-@@ -251,6 +255,10 @@
- 	int extdatalen=0;
- 	unsigned char *ret = p;
- 
-+	/* don't add extensions for SSLv3 */
-+	if (s->version == SSL3_VERSION)
-+		return p;
-+
- 	ret+=2;
- 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
- 




More information about the Pkg-openssl-changes mailing list