Change logs for openssl source package in Experimental

  • openssl (3.4.0-1) experimental; urgency=medium
    
      * Import 3.4.0
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 23 Oct 2024 21:18:43 +0200
  • openssl (3.4.0~~beta1-2) experimental; urgency=medium
    
      * Add a patch to avoid using other memory allocations if custom malloc is
        provided.
      * Add a patch to check length in the SPARC assembly implementation of
        AES-CBC.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sun, 13 Oct 2024 22:07:10 +0200
  • openssl (3.4.0~~beta1-1) experimental; urgency=medium
    
      * Import 3.4.0-beta1
    
     -- Sebastian Andrzej Siewior <email address hidden>  Mon, 07 Oct 2024 23:03:28 +0200
  • openssl (3.3.1-5) experimental; urgency=medium
    
      * Split the legacy provider into its own package (Closes: #965041).
      * Add the FIPS provider (Closes: #1050210).
      * Reintroduce the provider section back in the default openssl.cnf. This is
        was to keep compatibility with the openssl 1.1 series. Adding makes it
        easier to add/ enable provides such as fips.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sun, 04 Aug 2024 23:22:06 +0200
  • openssl (3.3.1-1) experimental; urgency=medium
    
      * Import 3.3.1.
        - CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
          (Closes: #1071972).
        - CVE-2024-4741 (Use After Free with SSL_free_buffers)
          (Closes: #1072113).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 04 Jun 2024 18:37:30 +0200
  • openssl (3.3.0-1) experimental; urgency=medium
    
      * Import 3.3.0.
        - CVE-2024-2511 (Unbounded memory growth with session handling in TLSv1.3)
          (Closes: #1068658).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Thu, 11 Apr 2024 21:49:45 +0200
  • openssl (3.3.0~beta1-1) experimental; urgency=medium
    
      * Import 3.3.0-beta1.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Fri, 05 Apr 2024 23:09:03 +0200
  • openssl (3.2.1-2) experimental; urgency=medium
    
      * Disable brotli and enable zlib for certificate compression.
      * Update to latest openssl-3.2 branch.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Thu, 22 Feb 2024 21:41:18 +0100
  • openssl (3.2.1-1.1~exp1) experimental; urgency=medium
    
      * Non-maintainer upload.
      * Rename libraries for 64-bit time_t transition.
    
     -- Steve Langasek <email address hidden>  Mon, 19 Feb 2024 07:33:51 +0000
  • openssl (3.2.1-1) experimental; urgency=medium
    
      * Import 3.2.1
       - CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
       - CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
         (Closes: #1060858).
       - CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
         PowerPC) (Closes: #1060347).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sat, 03 Feb 2024 17:23:00 +0100
  • openssl (3.2.0-2) experimental; urgency=medium
    
      * Use generic target for riscv64.
      * Update to latest openssl-3.2 branch.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Thu, 14 Dec 2023 21:13:53 +0100
  • openssl (3.2.0-1) experimental; urgency=medium
    
      * Import 3.2.0
      * Enable zstd, brotli and for certificate compression.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sun, 26 Nov 2023 13:37:14 +0100
  • openssl (3.1.5-1) unstable; urgency=medium
    
      * Import 3.1.5
        - CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
        - CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
          (Closes: #1060858).
        - CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
          PowerPC) (Closes: #1060347).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sat, 03 Feb 2024 17:11:24 +0100
  • openssl (3.1.4-2) unstable; urgency=medium
    
      * Invoke clean up from the openssl binary as a temporary workaround to avoid
        a crash in libp11/SoftHSM engine (Closes: #1054546).
      * CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
        parameter value) (Closes: #1055473).
      * Upload to unstable.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sat, 25 Nov 2023 21:35:59 +0100
  • openssl (3.1.4-1) experimental; urgency=medium
    
      * Import 3.1.4
       - CVE-2023-5363 (Incorrect cipher key and IV length processing).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 24 Oct 2023 21:58:49 +0200
  • openssl (3.1.3-1) experimental; urgency=medium
    
      * Import 3.1.3
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 19 Sep 2023 18:57:49 +0200
  • openssl (3.1.2-1) experimental; urgency=medium
    
      * Import 3.1.2
       - CVE-2023-2975 (AES-SIV implementation ignores empty associated data
         entries) (Closes: #1041818).
       - CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
         (Closes: #1041817).
       - CVE-2023-3817 (Excessive time spent checking DH q parameter value).
       - Drop bc and m4 from B-D.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 01 Aug 2023 22:51:25 +0200
  • openssl (3.1.1-1) experimental; urgency=medium
    
      * Import 3.1.1
        - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
          Constraints) (Closes: #1034720).
        - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
          silently ignored).
        - CVE-2023-0466 (Certificate policy check not enabled).
        - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
        - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
        - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
        - Add new symbol.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 30 May 2023 19:46:00 +0200
  • openssl (3.1.0-1) experimental; urgency=medium
    
      * Import 3.1.0
      * Add new symbols.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sat, 06 May 2023 12:11:09 +0200
  • openssl (3.0.3-1) experimental; urgency=medium
    
      * Import 3.0.3
        - CVE-2022-1292 (The c_rehash script allows command injection).
        - CVE-2022-1343 (OCSP_basic_verify may incorrectly verify the response
          signing certificate).
        - CVE-2022-1434 (Incorrect MAC key used in the RC4-MD5 ciphersuite).
        - CVE-2022-1473 (Resource leakage when decoding certificates and keys).
        - Add new symbols.
      * Correct the openssl.cnf to provide proper default configuration. Thanks to
        Matthias Blümel (Closes: #1010360).
      * Use a separator in the CipherString in openssl.cnf (Closes: #948800).
      * Remove the postinst script which was used to restart daemons after a
        library upgrade. It is not updated and essentially dead code. Users are
        advised to switch to checkrestart/ needrestart or a similar service.
        Thanks to Helmut Grohne (Closes: #983722).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Fri, 06 May 2022 22:21:52 +0200
  • openssl (3.0.2-1) experimental; urgency=medium
    
      * Import 3.0.2
        - CVE-2022-0778 (Infinite loop in BN_mod_sqrt() reachable when parsing
          certificates).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 15 Mar 2022 20:54:57 +0100
  • openssl (3.0.1-1) experimental; urgency=medium
    
      * Import 3.0.1
        - CVE-2021-4044 (Fixed invalid handling of X509_verify_cert() internal
          errors in libssl).
      * Zero used registers at function exit.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Mon, 27 Dec 2021 11:44:50 +0100
  • openssl (3.0.0-1) experimental; urgency=medium
    
      * Import 3.0.0.
      * Add avr32, patch by Vineet Gupta (Closes: #989442).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sat, 11 Sep 2021 10:41:54 +0200
  • openssl (3.0.0~~beta2-1) experimental; urgency=medium
    
      * Import 3.0.0-beta2.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Fri, 30 Jul 2021 07:51:18 +0200
  • openssl (3.0.0~~beta1-1) experimental; urgency=medium
    
      * Import 3.0.0-beta1.
      * Use HARNESS_VERBOSE again (otherwise the test suite might killed since no
        progress is visible).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 23 Jun 2021 19:32:27 +0200
  • openssl (3.0.0~~alpha16-1) experimental; urgency=medium
    
      * Import 3.0.0-alpha16.
      * Use VERBOSE_FAILURE to log only failures in the build log.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Thu, 06 May 2021 21:54:38 +0200
  • openssl (3.0.0~~alpha15-1) experimental; urgency=medium
    
      * Import 3.0.0-alpha15.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 28 Apr 2021 23:26:47 +0200
  • openssl (3.0.0~~alpha13-2) experimental; urgency=medium
    
      * Add a proposed patch from upstream to skip negativ errno number in the
        testsuite to pass the testsute on hurd.
      * Always link against libatomic.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 07 Apr 2021 21:36:02 +0200
  • openssl (3.0.0~~alpha13-1) experimental; urgency=medium
    
      * Import 3.0.0-alpha13.
      * Move configuration.h to architecture specific include folder. Patch from
        Antonio Terceiro (Closes: #985555).
      * Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
      * drop `lsof', the testsuite is not using it anymore.
      * Enable ktls.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Thu, 01 Apr 2021 23:07:05 +0200
  • openssl (3.0.0~~alpha4-1) experimental; urgency=medium
    
      * Import 3.0.0-alpha4.
      * Add `lsof' which is needed by the test suite.
      * Add ossl-modules to libcrypto's udeb.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 07 Jul 2020 00:16:54 +0200
  • openssl (3.0.0~~alpha3-1) experimental; urgency=medium
    
      * Import 3.0.0-alpha3
      * Install the .so files only in the -dev package (Closes: #962548).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 17 Jun 2020 23:24:43 +0200
  • openssl (3.0.0~~alpha1-1) experimental; urgency=medium
    
      * Import 3.0.0-alpha1 (Closes: #934836).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Sat, 25 Apr 2020 23:08:44 +0200
  • openssl (1.1.1~~pre8-1) experimental; urgency=medium
    
      * New upstream version.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Thu, 05 Jul 2018 00:21:00 +0200
  • openssl (1.1.1~~pre7-1) experimental; urgency=medium
    
      * Drop afalgeng on kfreebsd-* which go enabled because they inherit from
        the linux target.
      * Fix debian-rules-sets-dpkg-architecture-variable.
      * Update to policy 4.1.4
        - only Suggest: libssl-doc instead Recommends (only documentation and
          example code is shipped).
        - drop Priority: important.
        - use signing-key.asc and a https links for downloads
      * Use compat 11.
        - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
          seems to make sense.
      * Add a 25-test_verify.t for autopkgtest which runs against intalled
        openssl binary.
      * Fix CVE-2018-0737 (Closes: #895844).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 30 May 2018 19:49:26 +0200
  • openssl (1.1.1~~pre6-2) experimental; urgency=medium
    
      * Update libssl1.1.symbols
    
     -- Kurt Roeckx <email address hidden>  Tue, 01 May 2018 16:34:27 +0200
  • openssl (1.1.1~~pre4-1) experimental; urgency=medium
    
      * Update to 1.1.1-pre4 (Closes: #892276, #894282).
      * Add riscv64 target (Closes: #891797).
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 03 Apr 2018 21:41:55 +0200
  • openssl (1.1.1~~pre3-1) experimental; urgency=medium
    
      * Update to 1.1.1-pre3
      * Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
      * Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
      * Enable system default config to enforce TLS1.2 as a minimum.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Wed, 21 Mar 2018 00:01:08 +0100
  • openssl (1.1.1~~pre2-1) experimental; urgency=medium
    
      * Update to 1.1.1-pre2
    
     -- Sebastian Andrzej Siewior <email address hidden>  Tue, 27 Feb 2018 21:25:09 +0100
  • openssl (1.1.0b-1) experimental; urgency=medium
    
      * New upstream release
        - Fixes CVE-2016-6309
    
     -- Kurt Roeckx <email address hidden>  Mon, 26 Sep 2016 18:21:09 +0200
  • openssl (1.1.0a-1) experimental; urgency=medium
    
      * New upstream release
        - Fix CVE-2016-6304
        - Fix CVE-2016-6305
        - Fix CVE-2016-6307
        - Fix CVE-2016-6308
      * Update c_rehash-compat.patch to apply to new version.
      * Update symbol file.
    
     -- Kurt Roeckx <email address hidden>  Thu, 22 Sep 2016 20:13:59 +0200
  • openssl (1.1.0-1) experimental; urgency=medium
    
      [ Kurt Roeckx ]
      * New upstream version
      * Use Package-Type instead of XC-Package-Type
      * Remove "Priority: optional" in the binary packages.
      * Add Homepage
      * Use dpkg-buildflags's LDFLAGS also for building the shared libraries.
    
      [ Sebastian Andrzej Siewior ]
      * drop config-hurd.patch, we don't use `config' and it works without the
        patch.
      * Drop depend on zlib1g-dev since we don't use it anymore (Closes: #767207)
      * Make the openssl package Multi-Arch: foregin (Closes: #827028)
    
     -- Kurt Roeckx <email address hidden>  Thu, 25 Aug 2016 18:52:22 +0200
  • openssl (1.1.0~pre6-1) experimental; urgency=medium
    
      [ Sebastian Andrzej Siewior ]
      * drop engines-path.patch. Upstream uses a 1.1 suffixes now.
    
      [ Kurt Roeckx ]
      * New upstream version
      * Drop upstream snapshot
      * Update symbols file
      * Use some https instead of http URLs
    
     -- Kurt Roeckx <email address hidden>  Thu, 04 Aug 2016 18:33:24 +0200
  • openssl (1.1.0~pre5-5) experimental; urgency=medium
    
      * Update snapshot to commit fe964f0c88f6780fd30b26e306484b981b0a8480
    
     -- Kurt Roeckx <email address hidden>  Sat, 02 Jul 2016 14:54:51 +0200
  • openssl (1.1.0~pre5-4) experimental; urgency=medium
    
      * Update snapshot to commit c32bdbf171ce6650ef045ec47b5abe0de7c264db
      * Remove utils-mkdir-p-check-if-dir-exists-also-after-mkdir-f.patch, applied
        upstream
    
     -- Kurt Roeckx <email address hidden>  Sun, 26 Jun 2016 15:07:48 +0200
  • openssl (1.1.0~pre5-3) experimental; urgency=medium
    
      [ Kurt Roeckx ]
      * Don't use assembler on hppa, it's not writen for Linux.
    
     -- Sebastian Andrzej Siewior <email address hidden>  Fri, 10 Jun 2016 22:33:06 +0200
  • openssl (1.1.0~pre5-1) experimental; urgency=medium
    
      * New upstream version with soname change.  Upload to experimental.
        - Rename binary packages
        - Remove patches:
          - block_diginotar.patch: All cross certificates expired in 2013
          - block_digicert_malaysia.patch: intermediate certificates expired in
            2015
          - man-dir.patch: Fixed upstream
          - valgrind.patch: Upstream no longer adds the uninitialized data to the
            RNG
          - shared-lib-ext.patch: No longer needed
          - version-script.patch: Upstream does symbol versioning itself now
          - disable_freelist.patch: No longer needed
          - soname.patch: Was to change to the 1.0.2 soname that upstream never had
          - disable_sslv3_test.patch: Fixed upstream
          - libdoc-manpgs-pod-spell.patch: Fixed upstream (Closes: #813191)
        - Rewrite debian-targets.patch to work with the new configuration system.
        - Update other patches to apply
        - Update list of install docs
        - Use DESTDIR instead of INSTALL_PREFIX
        - Clean up more files
        - Remove the configure option enable-tlsext no-ssl2 since they're no
          longer supported.
      * Add upstream snapshot:
        - Add d2i-tests.tar to get new binary test files.
      * Don't build i686 optimized version anymore on i386, it's now the default.
        (Closes: #823774)
    
     -- Kurt Roeckx <email address hidden>  Sat, 28 May 2016 20:58:31 +0200
  • openssl (1.0.2d-2) experimental; urgency=medium
    
      * Build with no-ssl3-method to remove all SSLv3 support.  This results in
        the functions SSLv3_method(), SSLv3_server_method() and
        SSLv3_client_method() being removed from libssl.  Change the soname as
        result of that and also changes name of the binary package.
        (Closes: #768476)
      * Enable rfc3779 and cms support (Closes: #630790)
      * Fix cross compilation for mips architectures. (Closes: #782492)
    
     -- Kurt Roeckx <email address hidden>  Sun, 06 Sep 2015 14:21:27 +0200
  • openssl (1.0.2-1) experimental; urgency=medium
    
    
      * New upstream release
        - Fixes CVE-2014-3571
        - Fixes CVE-2015-0206
        - Fixes CVE-2014-3569
        - Fixes CVE-2014-3572
        - Fixes CVE-2015-0204
        - Fixes CVE-2015-0205
        - Fixes CVE-2014-8275
        - Fixes CVE-2014-3570
        - Drop git_snapshot.patch
      * Drop gnu_source.patch, dgst_hmac.patch, stddef.patch,
        no_ssl3_method.patch: applied upstream
      * Update patches to apply
    
     -- Kurt Roeckx <email address hidden>  Fri, 23 Jan 2015 18:54:13 +0100
  • openssl (1.0.2~beta3-1) experimental; urgency=low
    
    
      * New usptream beta version
      * Add git snapshot
      * Merge changes between 1.0.1h-3 and 1.0.1j-1:
        - Disables SSLv3 because of CVE-2014-3566
      * Drop patch rehash-crt.patch: partially applied upstream.
        c_rehash now doesn't support files in DER format anymore.
      * Drop patch rehash_pod.patch: applied upstream
      * Update c_rehash-compat.patch to apply to new upstream version.  This
        undoes upstream's "-old" option and creates both the new and old again.
        It now also does it for CRLs.
      * Drop defaults.patch, applied upstream
      * dgst_hmac.patch updated to apply to upstream version.
      * engines-path.patch updated to apply to upstream version.
      * Update list of exported symbols
      * Update symbols files to require beta3
      * Enable unit tests
      * Add patch to add support for the no-ssl3-method option that completly
        disable SSLv3 and pass the option.  This drops the following functions
        from the library: SSLv3_method, SSLv3_server_method and
        SSLv3_client_method
      * Build using OPENSSL_NO_BUF_FREELISTS
    
     -- Kurt Roeckx <email address hidden>  Fri, 07 Nov 2014 00:20:10 +0100
  • openssl (1.0.2~beta2-1) experimental; urgency=medium
    
    
      * New usptream beta version
        - Fix CVE-2014-0224
        - Fix CVE-2014-0221
        - Fix CVE-2014-0195
        - Fix CVE-2014-3470
        - Fix CVE-2014-0198
        - Fix CVE-2010-5298
        - Fix CVE-2014-0160
        - Fix CVE-2014-0076
      * Merge changes between 1.0.1f-1 and 1.0.1h-3:
        - postinst: Updated check for restarting services
      * libdoc-manpgs-pod-spell.patch and openssl-pod-misspell.patch
        partially applied upstream
      * Drop fix-pod-errors.patch, applied upstream.
      * Add support for ppc64le (Closes: #745657)
      * Add support for OpenRISC (Closes: #736772)
    
     -- Kurt Roeckx <email address hidden>  Wed, 23 Jul 2014 19:54:09 +0200
  • openssl (1.0.2~beta1-1) experimental; urgency=medium
    
    
      * New upstream beta version
        - Update list of symbols that should be exported and adjust the symbols
          file.  This also removes a bunch of duplicate symbols in the linker
          file.
        - Fix additional pod errors
        - Following patches have been applied upstream and are removed:
          libssl-misspell.patch, pod_req_misspell2.patch,
          pod_pksc12.misspell.patch, pod_s_server.misspell.patch,
          pod_x509setflags.misspell.patch, pod_ec.misspell.patch,
          pkcs12-doc.patch, req_bits.patch
        - Following patches have been partially applied upstream:
          libdoc-manpgs-pod-spell.patch, openssl-pod-misspell.patch
        - Remove openssl_fix_for_x32.patch, different patch applied upstream.
      * Add support for cross compiling (Closes: #465248)
    
     -- Kurt Roeckx <email address hidden>  Tue, 25 Feb 2014 00:36:51 +0100
  • openssl (1.0.0c-2) experimental; urgency=low
      * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.  * Always define _GNU_SOURCE, not only for Linux.  * Drop SSL2 support (Closes: #589706) -- Kurt Roeckx <email address hidden>  Sun, 19 Dec 2010 16:24:16 +0100
  • openssl (1.0.0c-1) experimental; urgency=low
      * New upstream version (Closes: #578376)    - New soname: Rename library packages    - Drop patch perl-path.diff, not needed anymore    - Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch      and CVE-2010-4180.patch: applied upstream.    - Update Configure for the new fields for the assembler options      per arch.  alpha now makes use of assembler.  * Move man3 manpages and demos to libssl-doc (Closes: #470594)  * Drop .pod files from openssl package (Closes: #518167)  * Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch  * Stop using BF_PTR2 on (kfreebd-)amd64.  * Drop debian-arm from the list of arches.  * Update arm arches to use BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL    BF_PTR instead of BN_LLONG DES_RISC1  * ia64: Drop RC4_CHAR, add DES_UNROLL DES_INT  * powerpc: Use RC4_CHAR RC4_CHUNK DES_RISC1 instead    of DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX  * s390: Use RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL instead of BN_LLONG -- Kurt Roeckx <email address hidden>  Sun, 12 Dec 2010 15:37:21 +0100