[Pkg-openssl-changes] r518 - in openssl/trunk/debian: . patches

Kurt Roeckx kroeckx at alioth.debian.org
Mon Nov 28 21:17:20 UTC 2011 

Author: kroeckx
Date: 2011-11-28 21:17:19 +0000 (Mon, 28 Nov 2011)
New Revision: 518

Added:
   openssl/trunk/debian/patches/block_digicert_malaysia.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/series
Log:
Commit changes from the -2.1 upload by Raphael Geissert


Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog	2011-09-10 15:08:31 UTC (rev 517)
+++ openssl/trunk/debian/changelog	2011-11-28 21:17:19 UTC (rev 518)
@@ -1,3 +1,11 @@
+openssl (1.0.0e-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
+    as revoked.
+
+ -- Raphael Geissert <geissert at debian.org>  Sun, 06 Nov 2011 01:39:30 -0600
+
 openssl (1.0.0e-2) unstable; urgency=low
 
   * Add a missing $(DEB_HOST_MULTIARCH)

Added: openssl/trunk/debian/patches/block_digicert_malaysia.patch
===================================================================
--- openssl/trunk/debian/patches/block_digicert_malaysia.patch	                        (rev 0)
+++ openssl/trunk/debian/patches/block_digicert_malaysia.patch	2011-11-28 21:17:19 UTC (rev 518)
@@ -0,0 +1,26 @@
+From: Raphael Geissert <geissert at debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked.
+Forwarded: not-needed
+Origin: vendor
+Last-Update: 2011-11-05
+
+Index: openssl-1.0.0e/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-1.0.0e.orig/crypto/x509/x509_vfy.c
++++ openssl-1.0.0e/crypto/x509/x509_vfy.c
+@@ -833,10 +833,11 @@ static int check_ca_blacklist(X509_STORE
+ 	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+ 		{
+ 		x = sk_X509_value(ctx->chain, i);
+-		/* Mark DigiNotar certificates as revoked, no matter
+-		 * where in the chain they are.
++		/* Mark certificates containing the following names as
++		 * revoked, no matter where in the chain they are.
+ 		 */
+-		if (x->name && strstr(x->name, "DigiNotar"))
++		if (x->name && (strstr(x->name, "DigiNotar") ||
++			strstr(x->name, "Digicert Sdn. Bhd.")))
+ 			{
+ 			ctx->error = X509_V_ERR_CERT_REVOKED;
+ 			ctx->error_depth = i;

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2011-09-10 15:08:31 UTC (rev 517)
+++ openssl/trunk/debian/patches/series	2011-11-28 21:17:19 UTC (rev 518)
@@ -29,4 +29,5 @@
 pkcs12-doc.patch
 dgst_hmac.patch
 block_diginotar.patch
+block_digicert_malaysia.patch
 c_rehash-multi.patch

More information about the Pkg-openssl-changes mailing list