Package: release.debian.org
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I'd like to update the version in stable for openssl. See the
debdiff below.
The SSLv2 methods actually didn't exist in jessie, but some
defaults where changed and the SSLv2 methods now in jessie just
return NULL. This removes the symbols again. Exposing the
symbols in the headers actually seems to have broken something,
so this removes them again. It was actually never the intention
to introduce those symbols again.
The other fix is a regression.
There are also some open CVEs in upstream git, but I'll wait with
those until there is actually a new release.
Kurt
diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
--- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.000000000 +0200
+++ openssl-1.0.1t/debian/changelog 2016-06-11 19:20:02.000000000 +0200
@@ -1,3 +1,11 @@
+openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
+
+ * Disable SSLv2 methods again, changes upstream has split no-ssl2 into
+ no-ssl2 and no-ssl2-method
+ * Fix length check for CRLs. (Closes: #826552)
+
+ -- Kurt Roeckx <k...@roeckx.be> Sat, 11 Jun 2016 19:18:11 +0200
+
openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
* add Update-S-MIME-certificates.patch to update expired certificates to
diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
--- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch
2016-06-11 19:16:05.000000000 +0200
@@ -0,0 +1,40 @@
+From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Wed, 4 May 2016 16:09:06 +0100
+Subject: [PATCH] Fix name length limit check.
+
+The name length limit check in x509_name_ex_d2i() includes
+the containing structure as well as the actual X509_NAME. This will
+cause large CRLs to be rejected.
+
+Fix by limiting the length passed to ASN1_item_ex_d2i() which will
+then return an error if the passed X509_NAME exceeds the length.
+
+RT#4531
+
+Reviewed-by: Rich Salz <rs...@openssl.org>
+(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
+---
+ crypto/asn1/x_name.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
+index a858c29..26378fd 100644
+--- a/crypto/asn1/x_name.c
++++ b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+ int i, j, ret;
+ STACK_OF(X509_NAME_ENTRY) *entries;
+ X509_NAME_ENTRY *entry;
+- if (len > X509_NAME_MAX) {
+- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+- return 0;
+- }
++ if (len > X509_NAME_MAX)
++ len = X509_NAME_MAX;
+ q = p;
+
+ /* Get internal representation of Name */
+--
+2.8.1
+
diff -Nru openssl-1.0.1t/debian/patches/series
openssl-1.0.1t/debian/patches/series
--- openssl-1.0.1t/debian/patches/series 2016-05-15 21:16:55.000000000
+0200
+++ openssl-1.0.1t/debian/patches/series 2016-06-11 19:19:06.000000000
+0200
@@ -20,3 +20,4 @@
openssl_fix_for_x32.patch
ppc64el.patch
Update-S-MIME-certificates.patch
+Fix-name-length-limit-check.patch
diff -Nru openssl-1.0.1t/debian/rules openssl-1.0.1t/debian/rules
--- openssl-1.0.1t/debian/rules 2016-05-06 14:16:42.000000000 +0200
+++ openssl-1.0.1t/debian/rules 2016-06-11 19:18:36.000000000 +0200
@@ -26,7 +26,7 @@
export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)-
endif
-CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib
enable-tlsext no-ssl2 no-ssl3
+CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext
no-ssl2 no-ssl2-method no-ssl3
OPT_alpha = ev4 ev5
OPT_i386 = i586 i686/cmov
ARCHOPTS = OPT_$(DEB_HOST_ARCH)
