Bug#855432: unblock: openssl/1.1.0e-1
Cyril Brulebois(2017-02-21): > I think that should work, yes. Please let me know when that's happened, > and I'll do the testing as soon as possible. This has happened, and building a netboot-gtk image with stretch udebs and with p-u enabled got me a 1.18-4.1 version of the wget-udeb package, with the following changes: +libcrypto1.1-udeb -libssl1.0.2-udeb +libssl1.1-udeb I've successfully tested a full installation over https, so I think it's fine to accept wget from tpu. KiBi. signature.asc Description: Digital signature
Bug#855432: unblock: openssl/1.1.0e-1
Niels Thykier(2017-02-20): > I did and I agree on the testing part. Would a "no-change rebuild" tpu > upload of wget be a solution for you? That should ensure we control > when the wget change migrates to testing (which is somewhat more > difficult with binNMUs). I think that should work, yes. Please let me know when that's happened, and I'll do the testing as soon as possible. KiBi. signature.asc Description: Digital signature
Bug#855432: unblock: openssl/1.1.0e-1
Cyril Brulebois: > Niels Thykier(2017-02-19): >> [...] > > Hrm. You mentioned on IRC you were pondering possibly rebuilding wget > against 1.1 for stretch; if that happens, this needs d-i testing… > > > KiBi. > I did and I agree on the testing part. Would a "no-change rebuild" tpu upload of wget be a solution for you? That should ensure we control when the wget change migrates to testing (which is somewhat more difficult with binNMUs). Thanks, ~Niels
Bug#855432: unblock: openssl/1.1.0e-1
Niels Thykier(2017-02-19): > Cyril Brulebois: > > We have this right now: > > > > wget-udeb | 1.18-4| testing → built against 1.0.2 > > wget-udeb | 1.19.1-1 | unstable → built against 1.1 > > > > If we're not getting a newer wget for stretch (at least I didn't find > > anything wget-related relevant for stretch in my debian-release folder), > > I can't think of another libssl user for d-i, which seems confirmed by > > looking at libssl*-udeb rdepends in sid. > > > > Unless I'm missing something obvious: no objections. > > Unblocked, thanks. Hrm. You mentioned on IRC you were pondering possibly rebuilding wget against 1.1 for stretch; if that happens, this needs d-i testing… KiBi. signature.asc Description: Digital signature
Bug#855432: unblock: openssl/1.1.0e-1
On Sun, Feb 19, 2017 at 07:33:20AM +0100, Cyril Brulebois wrote: > Kurt Roeckx(2017-02-18): > > On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote: > > > How soon do you want to see this package in testing? Given I've just > > > fixed a few things related to https support in d-i, it would be nice if > > > I were able to perform a full test with https here, making sure we don't > > > hit a regression there. If a reply this sunday is sufficient, I can do > > > that. > > We have this right now: > > wget-udeb | 1.18-4| testing → built against 1.0.2 > wget-udeb | 1.19.1-1 | unstable → built against 1.1 > > If we're not getting a newer wget for stretch (at least I didn't find > anything wget-related relevant for stretch in my debian-release folder), > I can't think of another libssl user for d-i, which seems confirmed by > looking at libssl*-udeb rdepends in sid. > > Unless I'm missing something obvious: no objections. Can someone please also change the age to 2 days? Kurt
Bug#855432: unblock: openssl/1.1.0e-1
Kurt Roeckx(2017-02-18): > On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote: > > How soon do you want to see this package in testing? Given I've just > > fixed a few things related to https support in d-i, it would be nice if > > I were able to perform a full test with https here, making sure we don't > > hit a regression there. If a reply this sunday is sufficient, I can do > > that. We have this right now: wget-udeb | 1.18-4| testing → built against 1.0.2 wget-udeb | 1.19.1-1 | unstable → built against 1.1 If we're not getting a newer wget for stretch (at least I didn't find anything wget-related relevant for stretch in my debian-release folder), I can't think of another libssl user for d-i, which seems confirmed by looking at libssl*-udeb rdepends in sid. Unless I'm missing something obvious: no objections. KiBi. signature.asc Description: Digital signature
Bug#855432: unblock: openssl/1.1.0e-1
On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote: > Hi, > > Niels Thykier(2017-02-18): > > Kurt Roeckx: > > > Package: release.debian.org > > > User: release.debian@packages.debian.org > > > Usertags: unblock > > > Severity: normal > > > > > > Hi, > > > > > > There was a new upstream release fixing a high severity security > > > issue. > > > > > > The changelog entry is: > > > openssl (1.1.0e-1) unstable; urgency=high > > > > > > * New upstream version > > > - Fixes CVE-2017-3733 > > > - Remove patches that are applied upstream. > > > > > > -- Kurt Roeckx Thu, 16 Feb 2017 18:57:58 +0100 > > > > > > I've attached the full debdiff between the version in testing and > > > unstable. > > > > OK from here; KiBi, I need a d-i ack from you, please. :) > > How soon do you want to see this package in testing? Given I've just > fixed a few things related to https support in d-i, it would be nice if > I were able to perform a full test with https here, making sure we don't > hit a regression there. If a reply this sunday is sufficient, I can do > that. Sunday / Monday is fine for me. Kurt
Bug#855432: unblock: openssl/1.1.0e-1
Hi, Niels Thykier(2017-02-18): > Kurt Roeckx: > > Package: release.debian.org > > User: release.debian@packages.debian.org > > Usertags: unblock > > Severity: normal > > > > Hi, > > > > There was a new upstream release fixing a high severity security > > issue. > > > > The changelog entry is: > > openssl (1.1.0e-1) unstable; urgency=high > > > > * New upstream version > > - Fixes CVE-2017-3733 > > - Remove patches that are applied upstream. > > > > -- Kurt Roeckx Thu, 16 Feb 2017 18:57:58 +0100 > > > > I've attached the full debdiff between the version in testing and > > unstable. > > OK from here; KiBi, I need a d-i ack from you, please. :) How soon do you want to see this package in testing? Given I've just fixed a few things related to https support in d-i, it would be nice if I were able to perform a full test with https here, making sure we don't hit a regression there. If a reply this sunday is sufficient, I can do that. KiBi. signature.asc Description: Digital signature
Bug#855432: unblock: openssl/1.1.0e-1
Kurt Roeckx: > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: unblock > Severity: normal > > Hi, > > There was a new upstream release fixing a high severity security > issue. > > The changelog entry is: > openssl (1.1.0e-1) unstable; urgency=high > > * New upstream version > - Fixes CVE-2017-3733 > - Remove patches that are applied upstream. > > -- Kurt RoeckxThu, 16 Feb 2017 18:57:58 +0100 > > I've attached the full debdiff between the version in testing and > unstable. > > > Kurt > OK from here; KiBi, I need a d-i ack from you, please. :) Thanks, ~Niels
Bug#855432: unblock: openssl/1.1.0e-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hi, There was a new upstream release fixing a high severity security issue. The changelog entry is: openssl (1.1.0e-1) unstable; urgency=high * New upstream version - Fixes CVE-2017-3733 - Remove patches that are applied upstream. -- Kurt RoeckxThu, 16 Feb 2017 18:57:58 +0100 I've attached the full debdiff between the version in testing and unstable. Kurt diff -Nru openssl-1.1.0d/apps/openssl.c openssl-1.1.0e/apps/openssl.c --- openssl-1.1.0d/apps/openssl.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/openssl.c 2017-02-16 12:58:20.0 +0100 @@ -58,7 +58,6 @@ static void list_disabled(void); char *default_config_file = NULL; -static CONF *config = NULL; BIO *bio_in = NULL; BIO *bio_out = NULL; BIO *bio_err = NULL; @@ -248,8 +247,6 @@ end: OPENSSL_free(copied_argv); OPENSSL_free(default_config_file); -NCONF_free(config); -config = NULL; lh_FUNCTION_free(prog); OPENSSL_free(arg.argv); diff -Nru openssl-1.1.0d/apps/req.c openssl-1.1.0e/apps/req.c --- openssl-1.1.0d/apps/req.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/req.c 2017-02-16 12:58:20.0 +0100 @@ -121,7 +121,7 @@ {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', "Enable support for multivalued RDNs"}, {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, -{"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"}, +{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, {"extensions", OPT_EXTENSIONS, 's', "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', diff -Nru openssl-1.1.0d/apps/s_cb.c openssl-1.1.0e/apps/s_cb.c --- openssl-1.1.0d/apps/s_cb.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/s_cb.c 2017-02-16 12:58:20.0 +0100 @@ -922,6 +922,7 @@ BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); goto err; } +*pexc = exc; exc->certfile = opt_arg(); break; case OPT_X_KEY: diff -Nru openssl-1.1.0d/apps/ts.c openssl-1.1.0e/apps/ts.c --- openssl-1.1.0d/apps/ts.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/ts.c 2017-02-16 12:58:20.0 +0100 @@ -890,9 +890,15 @@ goto err; f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { +BIO *out = NULL; + f |= TS_VFY_DATA; -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) +if ((out = BIO_new_file(data, "rb")) == NULL) goto err; +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) { +BIO_free_all(out); +goto err; +} } else if (digest != NULL) { long imprint_len; unsigned char *hexstr = OPENSSL_hexstr2buf(digest, _len); diff -Nru openssl-1.1.0d/CHANGES openssl-1.1.0e/CHANGES --- openssl-1.1.0d/CHANGES 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/CHANGES 2017-02-16 12:58:20.0 +0100 @@ -2,6 +2,19 @@ OpenSSL CHANGES ___ + Changes between 1.1.0d and 1.1.0e [16 Feb 2017] + + *) Encrypt-Then-Mac renegotiation crash + + During a renegotiation handshake if the Encrypt-Then-Mac extension is + negotiated where it was not in the original handshake (or vice-versa) then + this can cause OpenSSL to crash (dependant on ciphersuite). Both clients + and servers are affected. + + This issue was reported to OpenSSL by Joe Orton (Red Hat). + (CVE-2017-3733) + [Matt Caswell] + Changes between 1.1.0c and 1.1.0d [26 Jan 2017] *) Truncated packet could crash via OOB read diff -Nru openssl-1.1.0d/Configurations/unix-Makefile.tmpl openssl-1.1.0e/Configurations/unix-Makefile.tmpl --- openssl-1.1.0d/Configurations/unix-Makefile.tmpl 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 12:58:20.0 +0100 @@ -285,6 +285,7 @@ -$(RM) `find . -name '*{- $objext -}' -a \! -path "./.git/*"` $(RM) core $(RM) tags TAGS + $(RM) test/.rnd $(RM) openssl.pc libcrypto.pc libssl.pc -$(RM) `find . -type l -a \! -path "./.git/*"` $(RM) $(TARFILE) diff -Nru openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl --- openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl 2017-02-16 12:58:20.0 +0100 @@ -59,9 +59,12 @@ .text ___ $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); -$code.=".arch armv7-a\n.fpu neon\n.code 32\n" if ($flavour !~ /64/); - #^^ this is done to simplify adoption by not depending - # on latest binutils. +$code.=<<___ if ($flavour !~ /64/); +.arch armv7-a // don't confuse not-so-latest binutils with argv8 :-) +.fpu neon +.code 32 +#undef __thumb2__