[Pkg-openssl-changes] r709 - openssl/branches/wheezy/debian/patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Thu Jan 8 20:42:38 UTC 2015


Author: kroeckx
Date: 2015-01-08 20:42:37 +0000 (Thu, 08 Jan 2015)
New Revision: 709

Modified:
   openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch
   openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch
   openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
Log:
Remove CHANGES from the commits so they apply.


Modified: openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch	2015-01-08 20:36:40 UTC (rev 708)
+++ openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch	2015-01-08 20:42:37 UTC (rev 709)
@@ -38,61 +38,12 @@
 
 (cherry picked from commit 684400ce192dac51df3d3e92b61830a6ef90be3e)
 ---
- CHANGES                | 37 +++++++++++++++++++++++++++++++++++++
  crypto/asn1/a_verify.c | 12 ++++++++++++
  crypto/dsa/dsa_asn1.c  | 14 +++++++++++++-
  crypto/ecdsa/ecs_vrf.c | 15 ++++++++++++++-
  crypto/x509/x_all.c    |  2 ++
  5 files changed, 78 insertions(+), 2 deletions(-)
 
-diff --git a/CHANGES b/CHANGES
-index c3bb940..c91552c 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -4,6 +4,43 @@
- 
-  Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
- 
-+  *) Fix various certificate fingerprint issues.
-+
-+     By using non-DER or invalid encodings outside the signed portion of a
-+     certificate the fingerprint can be changed without breaking the signature.
-+     Although no details of the signed portion of the certificate can be changed
-+     this can cause problems with some applications: e.g. those using the
-+     certificate fingerprint for blacklists.
-+
-+     1. Reject signatures with non zero unused bits.
-+
-+     If the BIT STRING containing the signature has non zero unused bits reject
-+     the signature. All current signature algorithms require zero unused bits.
-+
-+     2. Check certificate algorithm consistency.
-+
-+     Check the AlgorithmIdentifier inside TBS matches the one in the
-+     certificate signature. NB: this will result in signature failure
-+     errors for some broken certificates.
-+
-+     Thanks to Konrad Kraszewski from Google for reporting this issue.
-+
-+     3. Check DSA/ECDSA signatures use DER.
-+
-+     Reencode DSA/ECDSA signatures and compare with the original received
-+     signature. Return an error if there is a mismatch.
-+
-+     This will reject various cases including garbage after signature
-+     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
-+     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
-+     (negative or with leading zeroes).
-+
-+     Further analysis was conducted and fixes were developed by Stephen Henson
-+     of the OpenSSL core team.
-+
-+     (CVE-2014-8275)
-+     [Steve Henson]
-+
-    *) Do not resume sessions on the server if the negotiated protocol
-       version does not match the session's version. Resuming with a different
-       version, while not strictly forbidden by the RFC, is of questionable
 diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
 index fc84cd3..a571009 100644
 --- a/crypto/asn1/a_verify.c

Modified: openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch	2015-01-08 20:36:40 UTC (rev 708)
+++ openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch	2015-01-08 20:42:37 UTC (rev 709)
@@ -13,28 +13,9 @@
 
 (cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
 ---
- CHANGES       |  7 +++++++
  ssl/s3_clnt.c | 18 +++++++++++++++---
  2 files changed, 22 insertions(+), 3 deletions(-)
 
-diff --git a/CHANGES b/CHANGES
-index bfb75be..8d3e6ff 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -4,6 +4,13 @@
- 
-  Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
- 
-+  *) Abort handshake if server key exchange message is omitted for ephemeral
-+     ECDH ciphersuites.
-+
-+     Thanks to Karthikeyan Bhargavan for reporting this issue.
-+     (CVE-2014-3572)
-+     [Steve Henson]
-+
-   *) Ensure that the session ID context of an SSL is updated when its
-      SSL_CTX is updated via SSL_set_SSL_CTX.
- 
 diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
 index 7a95d5a..43ffc77 100644
 --- a/ssl/s3_clnt.c

Modified: openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch	2015-01-08 20:36:40 UTC (rev 708)
+++ openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch	2015-01-08 20:42:37 UTC (rev 709)
@@ -18,7 +18,6 @@
 Conflicts:
 	doc/ssl/SSL_CTX_set_options.pod
 ---
- CHANGES                                  |  8 ++++++++
  doc/ssl/SSL_CTX_set_options.pod          | 10 +---------
  doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 ++++++++---------------
  ssl/d1_srvr.c                            | 21 ++++++---------------
@@ -27,25 +26,6 @@
  ssl/ssl.h                                |  5 ++---
  7 files changed, 38 insertions(+), 57 deletions(-)
 
-diff --git a/CHANGES b/CHANGES
-index 8d3e6ff..594d7c5 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -11,6 +11,14 @@
-      (CVE-2014-3572)
-      [Steve Henson]
- 
-+  *) Remove non-export ephemeral RSA code on client and server. This code
-+     violated the TLS standard by allowing the use of temporary RSA keys in
-+     non-export ciphersuites and could be used by a server to effectively
-+     downgrade the RSA key length used to a value smaller than the server
-+     certificate. Thanks for Karthikeyan Bhargavan for reporting this issue.
-+     (CVE-2015-0204)
-+     [Steve Henson]
-+
-   *) Ensure that the session ID context of an SSL is updated when its
-      SSL_CTX is updated via SSL_set_SSL_CTX.
- 
 diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
 index 6e6b5e6..e80a72c 100644
 --- a/doc/ssl/SSL_CTX_set_options.pod




More information about the Pkg-openssl-changes mailing list