Your message dated Fri, 22 Mar 2013 09:04:20 +0000
with message-id <0d4c26f1672bc13c29503d37099cc...@mail.adsl.funky-badger.org>
and subject line Re: Bug#703362: unblock: openssl/1.0.1e-2
has caused the Debian Bug report #703362,
regarding unblock: openssl/1.0.1e-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
703362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703362
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock openssl/1.0.1e-2, it fixes a bunch of issues fixed
in upstream git since the 1.0.1e release.
debdiff attached.
Kurt
diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
--- openssl-1.0.1e/debian/changelog 2013-02-11 19:40:07.000000000 +0100
+++ openssl-1.0.1e/debian/changelog 2013-03-18 20:37:14.000000000 +0100
@@ -1,3 +1,13 @@
+openssl (1.0.1e-2) unstable; urgency=high
+
+ * Bump shlibs. It's needed for the udeb.
+ * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
+ * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
+ * Fix problem with DTLS version check (Closes: #701826)
+ * Fix segfault in SSL_get_certificate (Closes: #703031)
+
+ -- Kurt Roeckx <k...@roeckx.be> Mon, 18 Mar 2013 20:37:11 +0100
+
openssl (1.0.1e-1) unstable; urgency=high
* New upstream version (Closes: #699889)
diff -Nru openssl-1.0.1e/debian/patches/aesni-mac.patch openssl-1.0.1e/debian/patches/aesni-mac.patch
--- openssl-1.0.1e/debian/patches/aesni-mac.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/aesni-mac.patch 2013-03-18 20:19:47.000000000 +0100
@@ -0,0 +1,26 @@
+From: Andy Polyakov <ap...@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29
+Bug-Debian: http://bugs.debian.org/701868
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+
+ if (res!=SHA_CBLOCK) continue;
+
+- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++ /* j is not incremented yet */
++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+
diff -Nru openssl-1.0.1e/debian/patches/cpuid.patch openssl-1.0.1e/debian/patches/cpuid.patch
--- openssl-1.0.1e/debian/patches/cpuid.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/cpuid.patch 2013-03-10 21:54:05.000000000 +0100
@@ -0,0 +1,27 @@
+From: Andy Polyakov <ap...@openssl.org>
+Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100)
+Subject: x86cpuid.pl: make it work with older CPUs.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d
+Bug-Debian: http://bugs.debian.org/699692
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest
+
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index 3b6c469..e8a7518 100644
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ &inc ("esi"); # number of cores
+
+ &mov ("eax",1);
++ &xor ("ecx","ecx");
+ &cpuid ();
+ &bt ("edx",28);
+ &jnc (&label("generic"));
+@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+
+ &set_label("nocacheinfo");
+ &mov ("eax",1);
++ &xor ("ecx","ecx");
+ &cpuid ();
+ &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
+ &cmp ("ebp",0);
diff -Nru openssl-1.0.1e/debian/patches/dtls_version.patch openssl-1.0.1e/debian/patches/dtls_version.patch
--- openssl-1.0.1e/debian/patches/dtls_version.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/dtls_version.patch 2013-03-18 20:28:32.000000000 +0100
@@ -0,0 +1,25 @@
+From: David Woodhouse <dw...@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
+Bug-Debian: http://bugs.debian.org/701826
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+
diff -Nru openssl-1.0.1e/debian/patches/get_certificate.patch openssl-1.0.1e/debian/patches/get_certificate.patch
--- openssl-1.0.1e/debian/patches/get_certificate.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/get_certificate.patch 2013-03-18 20:36:30.000000000 +0100
@@ -0,0 +1,27 @@
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Mon, 11 Feb 2013 18:24:03 +0000
+Subject: Fix for SSL_get_certificate
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc
+Bug-Debian: http://bugs.debian.org/703031
+
+
+Now we set the current certificate to the one used by a server
+there is no need to call ssl_get_server_send_cert which will
+fail if we haven't sent a certificate yet.
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 14d143d..ff5a85a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
+ /* Fix this function so that it takes an optional type parameter */
+ X509 *SSL_get_certificate(const SSL *s)
+ {
+- if (s->server)
+- return(ssl_get_server_send_cert(s));
+- else if (s->cert != NULL)
++ if (s->cert != NULL)
+ return(s->cert->key->x509);
+ else
+ return(NULL);
+
diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series
--- openssl-1.0.1e/debian/patches/series 2013-02-11 19:39:36.000000000 +0100
+++ openssl-1.0.1e/debian/patches/series 2013-03-18 20:36:46.000000000 +0100
@@ -32,3 +32,7 @@
#padlock_conf.patch
default_bits.patch
ssltest_no_sslv2.patch
+cpuid.patch
+aesni-mac.patch
+dtls_version.patch
+get_certificate.patch
diff -Nru openssl-1.0.1e/debian/rules openssl-1.0.1e/debian/rules
--- openssl-1.0.1e/debian/rules 2012-07-17 11:49:15.000000000 +0200
+++ openssl-1.0.1e/debian/rules 2013-03-10 21:54:40.000000000 +0100
@@ -137,7 +137,7 @@
dh_strip -a --dbg-package=libssl1.0.0
dh_perl -a -d
dpkg-gensymbols -Pdebian/libssl1.0.0/ -plibssl1.0.0 -c4
- dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.0)" --add-udeb="libcrypto1.0.0-udeb"
+ dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.1d)" --add-udeb="libcrypto1.0.0-udeb"
dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/usr/lib/$(DEB_HOST_MULTIARCH)
dh_gencontrol -a
dh_installdeb -a
--- End Message ---
--- Begin Message ---
On 22.03.2013 09:00, Cyril Brulebois wrote:
Adam D. Barratt <a...@adam-barratt.org.uk> (19/03/2013):
Unblocked, but needs a udeb ack.
Looks good to me.
Thanks. unblock-udebbed.
Regards,
Adam
--- End Message ---
