[Pkg-openssl-changes] r747 - in openssl/trunk/debian: . patches po
Kurt Roeckx
kroeckx at moszumanska.debian.org
Sun Sep 6 16:11:55 UTC 2015
Author: kroeckx
Date: 2015-09-06 16:11:54 +0000 (Sun, 06 Sep 2015)
New Revision: 747
Added:
openssl/trunk/debian/libcrypto1.0.2-udeb.dirs
openssl/trunk/debian/libssl1.0.2.dirs
openssl/trunk/debian/libssl1.0.2.files
openssl/trunk/debian/libssl1.0.2.postinst
openssl/trunk/debian/libssl1.0.2.symbols
openssl/trunk/debian/libssl1.0.2.templates
openssl/trunk/debian/patches/disable_sslv3_test.patch
openssl/trunk/debian/patches/soname.patch
Removed:
openssl/trunk/debian/libcrypto1.0.0-udeb.dirs
openssl/trunk/debian/libssl1.0.0.dirs
openssl/trunk/debian/libssl1.0.0.files
openssl/trunk/debian/libssl1.0.0.postinst
openssl/trunk/debian/libssl1.0.0.symbols
openssl/trunk/debian/libssl1.0.0.templates
Modified:
openssl/trunk/debian/changelog
openssl/trunk/debian/control
openssl/trunk/debian/patches/engines-path.patch
openssl/trunk/debian/patches/series
openssl/trunk/debian/patches/version-script.patch
openssl/trunk/debian/po/POTFILES.in
openssl/trunk/debian/rules
Log:
Completly disable SSLv3
Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/changelog 2015-09-06 16:11:54 UTC (rev 747)
@@ -1,3 +1,13 @@
+openssl (1.0.2d-2) experimental; urgency=medium
+
+ * Build with no-ssl3-method to remove all SSLv3 support. This results in
+ the functions SSLv3_method(), SSLv3_server_method() and
+ SSLv3_client_method() being removed from libssl. Change the soname as
+ result of that and also changes name of the binary package.
+ (Closes: #768476)
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sun, 06 Sep 2015 14:21:27 +0200
+
openssl (1.0.2d-1) unstable; urgency=high
* New upstream version
Modified: openssl/trunk/debian/control
===================================================================
--- openssl/trunk/debian/control 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/control 2015-09-06 16:11:54 UTC (rev 747)
@@ -27,7 +27,7 @@
* testing SSL/TLS clients and servers;
* handling S/MIME signed or encrypted mail.
-Package: libssl1.0.0
+Package: libssl1.0.2
Section: libs
Priority: important
Architecture: any
@@ -41,7 +41,7 @@
.
It provides the libssl and libcrypto shared libraries.
-Package: libcrypto1.0.0-udeb
+Package: libcrypto1.0.2-udeb
XC-Package-Type: udeb
Section: debian-installer
Priority: optional
@@ -61,7 +61,7 @@
Architecture: any
Multi-Arch: same
Recommends: libssl-doc
-Depends: libssl1.0.0 (= ${binary:Version}), zlib1g-dev, ${misc:Depends}
+Depends: libssl1.0.2 (= ${binary:Version}), zlib1g-dev, ${misc:Depends}
Description: Secure Sockets Layer toolkit - development files
This package is part of the OpenSSL project's implementation of the SSL
and TLS cryptographic protocols for secure communication over the
@@ -84,12 +84,12 @@
.
It contains manpages and demo files for libssl and libcrypto.
-Package: libssl1.0.0-dbg
+Package: libssl1.0.2-dbg
Section: debug
Priority: extra
Architecture: any
Multi-Arch: same
-Depends: libssl1.0.0 (= ${binary:Version}), ${misc:Depends}
+Depends: libssl1.0.2 (= ${binary:Version}), ${misc:Depends}
Description: Secure Sockets Layer toolkit - debug information
This package is part of the OpenSSL project's implementation of the SSL
and TLS cryptographic protocols for secure communication over the
Deleted: openssl/trunk/debian/libcrypto1.0.0-udeb.dirs
===================================================================
--- openssl/trunk/debian/libcrypto1.0.0-udeb.dirs 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/libcrypto1.0.0-udeb.dirs 2015-09-06 16:11:54 UTC (rev 747)
@@ -1 +0,0 @@
-usr/lib
Copied: openssl/trunk/debian/libcrypto1.0.2-udeb.dirs (from rev 734, openssl/trunk/debian/libcrypto1.0.0-udeb.dirs)
===================================================================
--- openssl/trunk/debian/libcrypto1.0.2-udeb.dirs (rev 0)
+++ openssl/trunk/debian/libcrypto1.0.2-udeb.dirs 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1 @@
+usr/lib
Deleted: openssl/trunk/debian/libssl1.0.0.dirs
===================================================================
--- openssl/trunk/debian/libssl1.0.0.dirs 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/libssl1.0.0.dirs 2015-09-06 16:11:54 UTC (rev 747)
@@ -1 +0,0 @@
-usr/share/doc/libssl1.0.0
Deleted: openssl/trunk/debian/libssl1.0.0.files
===================================================================
--- openssl/trunk/debian/libssl1.0.0.files 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/libssl1.0.0.files 2015-09-06 16:11:54 UTC (rev 747)
@@ -1,4 +0,0 @@
-usr/lib/*/*.so.*.*.*
-usr/lib/*/*/*.so.*.*.*
-usr/lib/*/i686/cmov/*.so.*.*.*
-usr/lib/*/openssl-1.0.0/engines
Deleted: openssl/trunk/debian/libssl1.0.0.postinst
===================================================================
--- openssl/trunk/debian/libssl1.0.0.postinst 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/libssl1.0.0.postinst 2015-09-06 16:11:54 UTC (rev 747)
@@ -1,207 +0,0 @@
-#!/bin/sh
-
-. /usr/share/debconf/confmodule
-
-set -e
-
-package_name()
-{
- echo $(basename $0 .postinst)
-}
-
-# element() is a helper function for file-rc:
-element() {
- local element list IFS
-
- element="$1"
-
- [ "$2" = "in" ] && shift
- list="$2"
- [ "$list" = "-" ] && return 1
- [ "$list" = "*" ] && return 0
-
- IFS=","
- set -- $list
- case $element in
- "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9")
- return 0
- esac
- return 1
-}
-
-# filerc (runlevel, service) returns /etc/init.d/service, if service is
-# running in $runlevel:
-filerc() {
- local runlevel basename
- runlevel=$1
- basename=$2
- while read LINE
- do
- case $LINE in
- \#*|"") continue
- esac
-
- set -- $LINE
- SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4"
- [ "$CMD" = "/etc/init.d/$basename" ] || continue
-
- if element "$runlevel" in "$START" || element "S" in "$START"
- then
- echo "/etc/init.d/$basename"
- return 0
- fi
- done < /etc/runlevel.conf
- echo ""
-}
-
-if [ "$1" = "configure" ]
-then
- if [ ! -z "$2" ]; then
- if dpkg --compare-versions "$2" lt 1.0.1g-2; then
- echo -n "Checking for services that may need to be restarted..."
- check="amanda-server anon-proxy apache2 apache-ssl"
- check="$check apf-firewall asterisk bacula-director-common"
- check="$check bacula-fd bacula-sd bind9 bip boinc-client"
- check="$check boxbackup-client boxbackup-server bozo cfengine2"
- check="$check cfengine3 citadel-server clamav-daemon clamav-freshclam"
- check="$check clamcour collectd-core conserver-server courier-imap-ssl"
- check="$check courier-mta-ssl courier-pop-ssl cyrus21-imapd"
- check="$check cyrus21-pop3d cyrus-common cyrus-imspd dovecot-core"
- check="$check ejabberd exim4 fetchmail freeradius ftpd-ssl gatling"
- check="$check globus-gatekeeper inn inn2 libapache-mod-ssl lighttpd lldpd"
- check="$check lwresd monit myproxy-server nagios-nrpe-server nginx-common"
- check="$check ntp openntpd openssh-server openvpn partimage-server"
- check="$check postfix postgresql-7.4 postgresql-8.0 postgresql-8.1"
- check="$check postgresql-8.2 postgresql-9.1 postgresql-9.2 postgresql-9.3"
- check="$check proftpd proftpd-ldap proftpd-basic"
- check="$check proftpd-mysql proftpd-pgsql racoon sendmail slapd"
- check="$check spamassassin ssh-nonfree stunnel4 syslog-ng tor unbound"
- check="$check vsftpd"
- # Only get the ones that are installed, and configured
- check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
- # init script rewrites
- check=$(echo $check | sed "
- # The name of proftpd-{ldap,mysql,pgsql,basic} init script is
- # same as "proftpd".
- s/proftpd-.*/proftpd/g;
- # dovecot-core ships its init script, but the
- # script name is dovecot for dovecot-{imapd,pop3d}.
- s/dovecot-core/dovecot/g;
- # openssh-server's init script it called ssh
- s/openssh-server/ssh/g;
- # bacula-director-common's init is bacula-director
- s/bacula-director-common/bacula-director/g;
- # citadel server
- s/citadel-server/citadel/g;
- # collectd
- s/collectd-core/collectd/g;
- # cyrus
- s/cyrus-common/cyrus-imapd/g;
- # nginx
- s/nginx-common/nginx/g;
- ")
- echo "done."
- fi
- if dpkg --compare-versions "$2" lt 1.0.1g-3; then
- echo -n "Checking for services that may need to be restarted..."
- check2="chef chef-expander chef-server-api"
- check2="$check2 chef-solr pound postgresql-common"
- check2="$check2 prosody puppet puppetmaster snmpd"
-
- # Only get the ones that are installed, and configured
- check2=$(dpkg -s $check2 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
- # init script rewrites
- check2=$(echo $check2 | sed -r "
- s/chef\s/chef-client/g;
- s/chef-server-api/chef-server/g;
- s/postgresql-common/postgresql/g;
- ")
- echo "done."
- if [ -n "$check2" ]; then
- check="$check $check2"
- fi
- fi
-
- if [ -n "$check" ]; then
- db_version 2.0
- echo "Checking init scripts..."
- for service in $check; do
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
- idl=$(ls /etc/init.d/${service} 2> /dev/null | head -n 1)
- if [ -n "$idl" ] && [ -x $idl ]; then
- services="$service $services"
- else
- echo "WARNING: init script for $service not found."
- fi
- else
- if [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then
-
- idl=$(filerc $rl $service)
- else
- idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1)
- fi
- if [ -n "$idl" ] && [ -x $idl ]; then
- services="$service $services"
- fi
- fi
- done
- if [ -n "$services" ]; then
- db_input critical libraries/restart-without-asking || true
- db_go || true
- db_get libraries/restart-without-asking
- if [ "x$RET" != xtrue ]; then
- db_reset libssl1.0.0/restart-services
- db_set libssl1.0.0/restart-services "$services"
- db_input critical libssl1.0.0/restart-services || true
- db_go || true
- db_get libssl1.0.0/restart-services
-
- if [ "x$RET" != "x" ]
- then
- services=$RET
- answer=yes
- else
- answer=no
- fi
- else
- answer=yes
- fi
- echo
- if [ "$answer" = yes ] && [ "$services" != "" ]; then
- echo "Restarting services possibly affected by the upgrade:"
- failed=""
- rl=$(runlevel | sed 's/.*\ //')
- for service in $services; do
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
- idl="invoke-rc.d ${service}"
- elif [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then
- idl=$(filerc $rl $service)
- else
- idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1)
- fi
-
- if ! $idl restart; then
- failed="$service $failed"
- fi
- done
- echo
- if [ -n "$failed" ]; then
- db_subst libssl1.0.0/restart-failed services "$failed"
- db_input critical libssl1.0.0/restart-failed || true
- db_go || true
- else
- echo "Services restarted successfully."
- fi
- echo
- fi
- else
- echo "Nothing to restart."
- fi
- # Shut down the frontend, to make sure none of the
- # restarted services keep a connection open to it
- db_stop
- fi # end upgrading and $2 lt 0.9.8c-2
- fi # Upgrading
-fi
-
-#DEBHELPER#
Deleted: openssl/trunk/debian/libssl1.0.0.symbols
===================================================================
--- openssl/trunk/debian/libssl1.0.0.symbols 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/libssl1.0.0.symbols 2015-09-06 16:11:54 UTC (rev 747)
@@ -1,10 +0,0 @@
-libcrypto.so.1.0.0 libssl1.0.0 #MINVER#
- *@OPENSSL_1.0.0 1.0.0
- *@OPENSSL_1.0.1 1.0.1
- *@OPENSSL_1.0.1d 1.0.1d
- *@OPENSSL_1.0.2 1.0.2~beta3
-libssl.so.1.0.0 libssl1.0.0 #MINVER#
- *@OPENSSL_1.0.0 1.0.0
- *@OPENSSL_1.0.1 1.0.1
- *@OPENSSL_1.0.1d 1.0.1d
- *@OPENSSL_1.0.2 1.0.2~beta3
Deleted: openssl/trunk/debian/libssl1.0.0.templates
===================================================================
--- openssl/trunk/debian/libssl1.0.0.templates 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/libssl1.0.0.templates 2015-09-06 16:11:54 UTC (rev 747)
@@ -1,30 +0,0 @@
-Template: libssl1.0.0/restart-services
-Type: string
-_Description: Services to restart to make them use the new libraries:
- This release of OpenSSL fixes some security issues. Services will not
- use these fixes until they are restarted. Please note that restarting
- the SSH server (sshd) should not affect any existing connections.
- .
- Please check the list of detected services that need to be restarted
- and correct it, if needed. The services names must be identical to the
- initialization script names in /etc/init.d and separated by
- spaces. No services will be restarted if the list is empty.
- .
- Any service that later fails unexpectedly after this upgrade should
- be restarted. It is recommended to reboot this host to avoid any
- SSL-related trouble.
-
-Template: libssl1.0.0/restart-failed
-Type: error
-#flag:translate!:3
-#flag:comment:2
-# This paragraph is followed by a (non translatable) paragraph containing
-# a list of services that could not be restarted
-_Description: Failure restarting some services for OpenSSL upgrade
- The following services could not be restarted for the OpenSSL library upgrade:
- .
- ${services}
- .
- You will need to start these manually by running
- '/etc/init.d/<service> start'.
-
Copied: openssl/trunk/debian/libssl1.0.2.dirs (from rev 734, openssl/trunk/debian/libssl1.0.0.dirs)
===================================================================
--- openssl/trunk/debian/libssl1.0.2.dirs (rev 0)
+++ openssl/trunk/debian/libssl1.0.2.dirs 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1 @@
+usr/share/doc/libssl1.0.2
Copied: openssl/trunk/debian/libssl1.0.2.files (from rev 734, openssl/trunk/debian/libssl1.0.0.files)
===================================================================
--- openssl/trunk/debian/libssl1.0.2.files (rev 0)
+++ openssl/trunk/debian/libssl1.0.2.files 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1,4 @@
+usr/lib/*/*.so.*.*.*
+usr/lib/*/*/*.so.*.*.*
+usr/lib/*/i686/cmov/*.so.*.*.*
+usr/lib/*/openssl-1.0.2/engines
Copied: openssl/trunk/debian/libssl1.0.2.postinst (from rev 734, openssl/trunk/debian/libssl1.0.0.postinst)
===================================================================
--- openssl/trunk/debian/libssl1.0.2.postinst (rev 0)
+++ openssl/trunk/debian/libssl1.0.2.postinst 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1,207 @@
+#!/bin/sh
+
+. /usr/share/debconf/confmodule
+
+set -e
+
+package_name()
+{
+ echo $(basename $0 .postinst)
+}
+
+# element() is a helper function for file-rc:
+element() {
+ local element list IFS
+
+ element="$1"
+
+ [ "$2" = "in" ] && shift
+ list="$2"
+ [ "$list" = "-" ] && return 1
+ [ "$list" = "*" ] && return 0
+
+ IFS=","
+ set -- $list
+ case $element in
+ "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9")
+ return 0
+ esac
+ return 1
+}
+
+# filerc (runlevel, service) returns /etc/init.d/service, if service is
+# running in $runlevel:
+filerc() {
+ local runlevel basename
+ runlevel=$1
+ basename=$2
+ while read LINE
+ do
+ case $LINE in
+ \#*|"") continue
+ esac
+
+ set -- $LINE
+ SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4"
+ [ "$CMD" = "/etc/init.d/$basename" ] || continue
+
+ if element "$runlevel" in "$START" || element "S" in "$START"
+ then
+ echo "/etc/init.d/$basename"
+ return 0
+ fi
+ done < /etc/runlevel.conf
+ echo ""
+}
+
+if [ "$1" = "configure" ]
+then
+ if [ ! -z "$2" ]; then
+ if dpkg --compare-versions "$2" lt 1.0.1g-2; then
+ echo -n "Checking for services that may need to be restarted..."
+ check="amanda-server anon-proxy apache2 apache-ssl"
+ check="$check apf-firewall asterisk bacula-director-common"
+ check="$check bacula-fd bacula-sd bind9 bip boinc-client"
+ check="$check boxbackup-client boxbackup-server bozo cfengine2"
+ check="$check cfengine3 citadel-server clamav-daemon clamav-freshclam"
+ check="$check clamcour collectd-core conserver-server courier-imap-ssl"
+ check="$check courier-mta-ssl courier-pop-ssl cyrus21-imapd"
+ check="$check cyrus21-pop3d cyrus-common cyrus-imspd dovecot-core"
+ check="$check ejabberd exim4 fetchmail freeradius ftpd-ssl gatling"
+ check="$check globus-gatekeeper inn inn2 libapache-mod-ssl lighttpd lldpd"
+ check="$check lwresd monit myproxy-server nagios-nrpe-server nginx-common"
+ check="$check ntp openntpd openssh-server openvpn partimage-server"
+ check="$check postfix postgresql-7.4 postgresql-8.0 postgresql-8.1"
+ check="$check postgresql-8.2 postgresql-9.1 postgresql-9.2 postgresql-9.3"
+ check="$check proftpd proftpd-ldap proftpd-basic"
+ check="$check proftpd-mysql proftpd-pgsql racoon sendmail slapd"
+ check="$check spamassassin ssh-nonfree stunnel4 syslog-ng tor unbound"
+ check="$check vsftpd"
+ # Only get the ones that are installed, and configured
+ check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
+ # init script rewrites
+ check=$(echo $check | sed "
+ # The name of proftpd-{ldap,mysql,pgsql,basic} init script is
+ # same as "proftpd".
+ s/proftpd-.*/proftpd/g;
+ # dovecot-core ships its init script, but the
+ # script name is dovecot for dovecot-{imapd,pop3d}.
+ s/dovecot-core/dovecot/g;
+ # openssh-server's init script it called ssh
+ s/openssh-server/ssh/g;
+ # bacula-director-common's init is bacula-director
+ s/bacula-director-common/bacula-director/g;
+ # citadel server
+ s/citadel-server/citadel/g;
+ # collectd
+ s/collectd-core/collectd/g;
+ # cyrus
+ s/cyrus-common/cyrus-imapd/g;
+ # nginx
+ s/nginx-common/nginx/g;
+ ")
+ echo "done."
+ fi
+ if dpkg --compare-versions "$2" lt 1.0.1g-3; then
+ echo -n "Checking for services that may need to be restarted..."
+ check2="chef chef-expander chef-server-api"
+ check2="$check2 chef-solr pound postgresql-common"
+ check2="$check2 prosody puppet puppetmaster snmpd"
+
+ # Only get the ones that are installed, and configured
+ check2=$(dpkg -s $check2 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
+ # init script rewrites
+ check2=$(echo $check2 | sed -r "
+ s/chef\s/chef-client/g;
+ s/chef-server-api/chef-server/g;
+ s/postgresql-common/postgresql/g;
+ ")
+ echo "done."
+ if [ -n "$check2" ]; then
+ check="$check $check2"
+ fi
+ fi
+
+ if [ -n "$check" ]; then
+ db_version 2.0
+ echo "Checking init scripts..."
+ for service in $check; do
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+ idl=$(ls /etc/init.d/${service} 2> /dev/null | head -n 1)
+ if [ -n "$idl" ] && [ -x $idl ]; then
+ services="$service $services"
+ else
+ echo "WARNING: init script for $service not found."
+ fi
+ else
+ if [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then
+
+ idl=$(filerc $rl $service)
+ else
+ idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1)
+ fi
+ if [ -n "$idl" ] && [ -x $idl ]; then
+ services="$service $services"
+ fi
+ fi
+ done
+ if [ -n "$services" ]; then
+ db_input critical libraries/restart-without-asking || true
+ db_go || true
+ db_get libraries/restart-without-asking
+ if [ "x$RET" != xtrue ]; then
+ db_reset libssl1.0.2/restart-services
+ db_set libssl1.0.2/restart-services "$services"
+ db_input critical libssl1.0.2/restart-services || true
+ db_go || true
+ db_get libssl1.0.2/restart-services
+
+ if [ "x$RET" != "x" ]
+ then
+ services=$RET
+ answer=yes
+ else
+ answer=no
+ fi
+ else
+ answer=yes
+ fi
+ echo
+ if [ "$answer" = yes ] && [ "$services" != "" ]; then
+ echo "Restarting services possibly affected by the upgrade:"
+ failed=""
+ rl=$(runlevel | sed 's/.*\ //')
+ for service in $services; do
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+ idl="invoke-rc.d ${service}"
+ elif [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then
+ idl=$(filerc $rl $service)
+ else
+ idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1)
+ fi
+
+ if ! $idl restart; then
+ failed="$service $failed"
+ fi
+ done
+ echo
+ if [ -n "$failed" ]; then
+ db_subst libssl1.0.2/restart-failed services "$failed"
+ db_input critical libssl1.0.2/restart-failed || true
+ db_go || true
+ else
+ echo "Services restarted successfully."
+ fi
+ echo
+ fi
+ else
+ echo "Nothing to restart."
+ fi
+ # Shut down the frontend, to make sure none of the
+ # restarted services keep a connection open to it
+ db_stop
+ fi # end upgrading and $2 lt 0.9.8c-2
+ fi # Upgrading
+fi
+
+#DEBHELPER#
Copied: openssl/trunk/debian/libssl1.0.2.symbols (from rev 734, openssl/trunk/debian/libssl1.0.0.symbols)
===================================================================
--- openssl/trunk/debian/libssl1.0.2.symbols (rev 0)
+++ openssl/trunk/debian/libssl1.0.2.symbols 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1,4 @@
+libcrypto.so.1.0.2 libssl1.0.2 #MINVER#
+ *@OPENSSL_1.0.2d 1.0.2d
+libssl.so.1.0.2 libssl1.0.2 #MINVER#
+ *@OPENSSL_1.0.2d 1.0.2d
Copied: openssl/trunk/debian/libssl1.0.2.templates (from rev 734, openssl/trunk/debian/libssl1.0.0.templates)
===================================================================
--- openssl/trunk/debian/libssl1.0.2.templates (rev 0)
+++ openssl/trunk/debian/libssl1.0.2.templates 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1,30 @@
+Template: libssl1.0.2/restart-services
+Type: string
+_Description: Services to restart to make them use the new libraries:
+ This release of OpenSSL fixes some security issues. Services will not
+ use these fixes until they are restarted. Please note that restarting
+ the SSH server (sshd) should not affect any existing connections.
+ .
+ Please check the list of detected services that need to be restarted
+ and correct it, if needed. The services names must be identical to the
+ initialization script names in /etc/init.d and separated by
+ spaces. No services will be restarted if the list is empty.
+ .
+ Any service that later fails unexpectedly after this upgrade should
+ be restarted. It is recommended to reboot this host to avoid any
+ SSL-related trouble.
+
+Template: libssl1.0.2/restart-failed
+Type: error
+#flag:translate!:3
+#flag:comment:2
+# This paragraph is followed by a (non translatable) paragraph containing
+# a list of services that could not be restarted
+_Description: Failure restarting some services for OpenSSL upgrade
+ The following services could not be restarted for the OpenSSL library upgrade:
+ .
+ ${services}
+ .
+ You will need to start these manually by running
+ '/etc/init.d/<service> start'.
+
Added: openssl/trunk/debian/patches/disable_sslv3_test.patch
===================================================================
--- openssl/trunk/debian/patches/disable_sslv3_test.patch (rev 0)
+++ openssl/trunk/debian/patches/disable_sslv3_test.patch 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1,23 @@
+From: Kurt Roeckx <kurt at roeckx.be>
+Date: Sun, 06 Sep 2015 16:04:11 +0200
+Subject: Disable SSLv3 test in test suite
+
+When testing SSLv3 the test program returns 0 for skip. The test for weak DH
+expects a failure, but gets success.
+
+It should probably be changed to return something other than 0 for a skipped
+test.
+
+Index: openssl-1.0.2d/test/testssl
+===================================================================
+--- openssl-1.0.2d.orig/test/testssl
++++ openssl-1.0.2d/test/testssl
+@@ -160,7 +160,7 @@ test_cipher() {
+ }
+
+ echo "Testing ciphersuites"
+-for protocol in TLSv1.2 SSLv3; do
++for protocol in TLSv1.2; do
+ echo "Testing ciphersuites for $protocol"
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+ test_cipher $cipher $protocol
Modified: openssl/trunk/debian/patches/engines-path.patch
===================================================================
--- openssl/trunk/debian/patches/engines-path.patch 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/patches/engines-path.patch 2015-09-06 16:11:54 UTC (rev 747)
@@ -7,7 +7,7 @@
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-+ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines \
++ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
@@ -20,14 +20,14 @@
@if [ -n "$(SHARED_LIBS)" ]; then \
set -e; \
- $(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines; \
-+ $(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines; \
++ $(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines; \
for l in $(LIBNAMES); do \
( echo installing $$l; \
pfx=lib; \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
sfx=".so"; \
- cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
-+ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
++ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new; \
else \
case "$(CFLAGS)" in \
*DSO_BEOS*) sfx=".so";; \
@@ -36,12 +36,12 @@
*) sfx=".bad";; \
esac; \
- cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
-+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
++ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
-+ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new; \
-+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$$pfx$$l$$sfx ); \
++ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new; \
++ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx ); \
done; \
fi
@target=install; $(RECURSIVE_MAKE)
@@ -54,7 +54,7 @@
elsif (/^#define\s+ENGINESDIR/)
{
- my $foo = "$prefix/$libdir/engines";
-+ my $foo = "$prefix/$libdir/openssl-1.0.0/engines";
++ my $foo = "$prefix/$libdir/openssl-1.0.2/engines";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
@@ -67,7 +67,7 @@
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
sfx=".so"; \
- cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
-+ cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
++ cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new; \
else \
case "$(CFLAGS)" in \
*DSO_BEOS*) sfx=".so";; \
@@ -76,12 +76,12 @@
*) sfx=".bad";; \
esac; \
- cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
-+ cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
++ cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx; \
-+ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new; \
-+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.0/engines/$${pfx}$(LIBNAME)$$sfx; \
++ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new; \
++ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx; \
fi
links:
Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/patches/series 2015-09-06 16:11:54 UTC (rev 747)
@@ -15,3 +15,5 @@
block_digicert_malaysia.patch
#padlock_conf.patch
disable_freelist.patch
+soname.patch
+disable_sslv3_test.patch
Added: openssl/trunk/debian/patches/soname.patch
===================================================================
--- openssl/trunk/debian/patches/soname.patch (rev 0)
+++ openssl/trunk/debian/patches/soname.patch 2015-09-06 16:11:54 UTC (rev 747)
@@ -0,0 +1,13 @@
+Index: openssl-1.0.2d/crypto/opensslv.h
+===================================================================
+--- openssl-1.0.2d.orig/crypto/opensslv.h
++++ openssl-1.0.2d/crypto/opensslv.h
+@@ -88,7 +88,7 @@ extern "C" {
+ * should only keep the versions that are binary compatible with the current.
+ */
+ # define SHLIB_VERSION_HISTORY ""
+-# define SHLIB_VERSION_NUMBER "1.0.0"
++# define SHLIB_VERSION_NUMBER "1.0.2"
+
+
+ #ifdef __cplusplus
Modified: openssl/trunk/debian/patches/version-script.patch
===================================================================
--- openssl/trunk/debian/patches/version-script.patch 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/patches/version-script.patch 2015-09-06 16:11:54 UTC (rev 747)
@@ -15,8 +15,8 @@
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 22:19:08.601827266 +0100
-@@ -0,0 +1,4615 @@
-+OPENSSL_1.0.0 {
+@@ -0,0 +1,4602 @@
++OPENSSL_1.0.2d {
+ global:
+ BIO_f_ssl;
+ BIO_new_buffer_ssl_connect;
@@ -4314,14 +4314,6 @@
+ CRYPTO_cbc128_decrypt;
+ CRYPTO_cfb128_encrypt;
+ CRYPTO_cfb128_8_encrypt;
-+
-+ local:
-+ *;
-+};
-+
-+
-+OPENSSL_1.0.1 {
-+ global:
+ SSL_renegotiate_abbreviated;
+ TLSv1_1_method;
+ TLSv1_1_client_method;
@@ -4483,15 +4475,7 @@
+ BIO_s_datagram_sctp;
+ BIO_dgram_is_sctp;
+ BIO_dgram_sctp_notification_cb;
-+} OPENSSL_1.0.0;
-+
-+OPENSSL_1.0.1d {
-+ global:
+ CRYPTO_memcmp;
-+} OPENSSL_1.0.1;
-+
-+OPENSSL_1.0.2 {
-+ global:
+ SSL_CTX_set_alpn_protos;
+ SSL_set_alpn_protos;
+ SSL_CTX_set_alpn_select_cb;
@@ -4629,14 +4613,17 @@
+ BUF_strnlen;
+ sk_deep_copy;
+ SSL_test_functions;
-+} OPENSSL_1.0.1d;
+
++ local:
++ *;
++};
++
Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld 2014-02-24 21:02:30.000000000 +0100
@@ -0,0 +1,10 @@
-+OPENSSL_1.0.0 {
++OPENSSL_1.0.2 {
+ global:
+ bind_engine;
+ v_check;
@@ -4651,7 +4638,7 @@
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld 2014-02-24 21:02:30.000000000 +0100
@@ -0,0 +1,10 @@
-+OPENSSL_1.0.0 {
++OPENSSL_1.0.2 {
+ global:
+ bind_engine;
+ v_check;
Modified: openssl/trunk/debian/po/POTFILES.in
===================================================================
--- openssl/trunk/debian/po/POTFILES.in 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/po/POTFILES.in 2015-09-06 16:11:54 UTC (rev 747)
@@ -1 +1 @@
-[type: gettext/rfc822deb] libssl1.0.0.templates
+[type: gettext/rfc822deb] libssl1.0.2.templates
Modified: openssl/trunk/debian/rules
===================================================================
--- openssl/trunk/debian/rules 2015-07-09 16:27:42 UTC (rev 746)
+++ openssl/trunk/debian/rules 2015-09-06 16:11:54 UTC (rev 747)
@@ -26,7 +26,7 @@
export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)-
endif
-CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 enable-unit-test
+CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 enable-unit-test no-ssl3-method
OPT_alpha = ev4 ev5
OPT_i386 = i586 i686/cmov
ARCHOPTS = OPT_$(DEB_HOST_ARCH)
@@ -136,13 +136,13 @@
mkdir -p debian/tmp/etc/ssl
mv debian/tmp/usr/lib/ssl/{certs,openssl.cnf,private} debian/tmp/etc/ssl/
ln -s /etc/ssl/{certs,openssl.cnf,private} debian/tmp/usr/lib/ssl/
- cp -pf debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto1.0.0-udeb/usr/lib/
+ cp -pf debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto1.0.2-udeb/usr/lib/
cp -auv lib*.so* debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/
for opt in $(OPTS); do set -xe; mkdir -p debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/$$opt; cp -auv $$opt/lib*.so* debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/$$opt/; done
mkdir -p debian/tmp/usr/include/$(DEB_HOST_MULTIARCH)/openssl
mv debian/tmp/usr/include/openssl/opensslconf.h debian/tmp/usr/include/$(DEB_HOST_MULTIARCH)/openssl/
- install debian/copyright debian/libssl1.0.0/usr/share/doc/libssl1.0.0/
- install debian/changelog debian/libssl1.0.0/usr/share/doc/libssl1.0.0/changelog.Debian
+ install debian/copyright debian/libssl1.0.2/usr/share/doc/libssl1.0.2/
+ install debian/changelog debian/libssl1.0.2/usr/share/doc/libssl1.0.2/changelog.Debian
install debian/copyright debian/libssl-dev/usr/share/doc/libssl-dev/
install debian/changelog debian/libssl-dev/usr/share/doc/libssl-dev/changelog.Debian
@@ -155,12 +155,12 @@
dh_compress -a
chmod 700 debian/openssl/etc/ssl/private
dh_fixperms -a -X etc/ssl/private
- dh_strip -plibssl1.0.0 --dbg-package=libssl1.0.0-dbg
- dh_strip -a -Nlibssl1.0.0
+ dh_strip -plibssl1.0.2 --dbg-package=libssl1.0.2-dbg
+ dh_strip -a -Nlibssl1.0.2
dh_perl -a -d
- dpkg-gensymbols -Pdebian/libssl1.0.0/ -plibssl1.0.0 -c4
- dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.1d)" --add-udeb="libcrypto1.0.0-udeb" -Xengines
- dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/usr/lib/$(DEB_HOST_MULTIARCH)
+ dpkg-gensymbols -Pdebian/libssl1.0.2/ -plibssl1.0.2 -c4
+ dh_makeshlibs -a -V "libssl1.0.2" --add-udeb="libcrypto1.0.2-udeb" -Xengines
+ dh_shlibdeps -a -L libssl1.0.2 -l debian/libssl1.0.2/usr/lib/$(DEB_HOST_MULTIARCH)
dh_gencontrol -a
dh_installdeb -a
dh_md5sums -a
More information about the Pkg-openssl-changes
mailing list