Ubuntu
openssl package

Merge 1.0.0d-2 from debian/unstable

Bug #675566 reported by dino99
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssl (Debian)
Fix Released
Unknown
openssl (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: openssl

Natty still have 0.9.8o

the latest is 1.0.0a with lot of bug and security fixes. Please update this package.

01-Jun-2010: OpenSSL 1.0.0a is now available, including important bug and security fixes

http://www.openssl.org/

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssl 0.9.8o-1ubuntu4.1
ProcVersionSignature: Ubuntu 2.6.37-3.11-generic-pae 2.6.37-rc1
Uname: Linux 2.6.37-3-generic-pae i686
NonfreeKernelModules: nvidia
Architecture: i386
Date: Mon Nov 15 15:46:52 2010
ProcEnviron:
 LANG=fr_FR.utf8
 SHELL=/bin/bash
SourcePackage: openssl

Tags: upgrade
Revision history for this message
dino99 (9d9) wrote :
Steve Beattie (sbeattie)
Changed in openssl (Ubuntu):
importance: Undecided → Wishlist
Bug Watch Updater (bug-watch-updater)
Changed in openssl (Debian):
status: Unknown → New
Revision history for this message
panos (multimedia2004) wrote :

Just to let everyone know, a security bug has been found in openssl :

(copying from here : http://marc.info/?l=openssl-announce&m=128992699401945&w=2)

"All versions of OpenSSL supporting TLS extensions contain this vulnerability including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases."

This is fixed (again copying from the above):
"Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should update
to the OpenSSL 0.9.8p release which contains a patch to correct this issue.

Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release
which contains a patch to correct this issue."

You can find more information about releases 0.9.8p and 1.0.0b here :
http://marc.info/?l=openssl-announce&r=1&b=201011&w=2

So i believe this report should be updated to reflect the above and request openssl 1.0.0b to be included in the latest ubuntu repository (and maybe consider updating the other related openssl reports in launchpad concerning 0.9.8 versions)

dino99 (9d9)
summary: - upgrade to the latest 1.0.0a with its security fixes
+ upgrade to the latest 1.0.0b with its security fixes
Revision history for this message
Artur Rona (ari-tczew) wrote : Re: upgrade to the latest 1.0.0b with its security fixes

I don't think so that we will get openssl 1.0.0 in natty. Rather probably in Ubuntu 11.10.

Revision history for this message
dino99 (9d9) wrote :

its hard to understand such lack about security

http://www.openssl.org/news/secadv_20101202.txt

Bug Watch Updater (bug-watch-updater)
Changed in openssl (Debian):
status: New → Fix Released
Revision history for this message
Artur Rona (ari-tczew) wrote :

@dino99, all necessary security patches will be included in openssl 0.9.8, don't be afraid.

Artur Rona (ari-tczew)
tags: added: upgrade
removed: apport-bug i386 natty
Revision history for this message
Andreas Moog (ampelbein) wrote :

debian -> ubuntu debdiff

openssl (1.0.0d-2ubuntu1) oneiric; urgency=low

  * Merge from debian/unstable, remaining changes: (LP: #675566)
    - d/libssl1.0.0.postinst:
      + Display a system restart required notification bubble
        on libssl1.0.0 upgrade.
      + Use a different priority for libssl0.9.8/restart-services
        depending on whether a desktop, or server dist-upgrade
        is being performed.
    - d/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb
      package in Debian).
    - d/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant.
    - d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions.
    - d/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
        (Closes: #465248)
      + Don't build for processors no longer supported: i486, i586
        (on i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
        (Closes: #611667)
      + Replace duplicate files in the doc directory with symlinks.
  * Fixes install of engines (LP: #769372)

 -- Andreas Moog <email address hidden> Sat, 30 Apr 2011 22:05:02 +0200

Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Andreas Moog (ampelbein) wrote :
Andreas Moog (ampelbein)
summary: - upgrade to the latest 1.0.0b with its security fixes
+ Merge 1.0.0d-2 from debian/unstable
Revision history for this message
Artur Rona (ari-tczew) wrote :

What about rdepends? Don't have to be rebuild all of them?

Revision history for this message
Andreas Moog (ampelbein) wrote :

Yes, it's a library transition, see https://wiki.ubuntu.com/UbuntuDevelopment/NBS for an explanation.

Revision history for this message
Dave Walker (davewalker) wrote :

@Andreas, nice job. Not an easy merge, and important as the current oneiric ca-certificates is not installable without this merge. Review looks good!

Revision history for this message
Dave Walker (davewalker) wrote :

Whilst I am happy, I would be more so with a secondary review from someone else, ideally in the security team. Holding off uploading.. awaiting secondary ACK.

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package openssl - 1.0.0d-2ubuntu1

---------------
openssl (1.0.0d-2ubuntu1) oneiric; urgency=low

  * Resynchronise with Debian (LP: #675566). Remaining changes:
    - debian/libssl1.0.0.postinst:
      + Display a system restart required notification bubble on libssl1.0.0
        upgrade.
      + Use a different priority for libssl1.0.0/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
      libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
      in Debian).
    - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
      rules}: Move runtime libraries to /lib, for the benefit of
      wpasupplicant.
    - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
      http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
      0.9.8 variant.
    - debian/patches/Bsymbolic-functions.patch: Link using
      -Bsymbolic-functions.
    - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
      .pc.
    - debian/rules:
      + Don't run 'make test' when cross-building.
      + Use host compiler when cross-building. Patch from Neil Williams.
      + Don't build for processors no longer supported: i486, i586 (on
        i386), v8 (on sparc).
      + Fix Makefile to properly clean up libs/ dirs in clean target.
      + Replace duplicate files in the doc directory with symlinks.
  * Update architectures affected by Bsymbolic-functions.patch.
  * Drop debian/patches/no-sslv2.patch; Debian now adds the 'no-ssl2'
    configure option, which compiles out SSLv2 support entirely, so this is
    no longer needed.
  * Drop openssl-doc in favour of the libssl-doc package introduced by
    Debian. Add Conflicts/Replaces until the next LTS release.

openssl (1.0.0d-2) unstable; urgency=high

  * Make c_rehash also generate the old subject hash. Gnutls applications
    seem to require it. (Closes: #611102)

openssl (1.0.0d-1) unstable; urgency=low

  * New upstream version
    - Fixes CVE-2011-0014
  * Make libssl-doc Replaces/Breaks with old libssl-dev packages
    (Closes: #607609)
  * Only export the symbols we should, instead of all.
  * Add symbol file.
  * Upload to unstable

openssl (1.0.0c-2) experimental; urgency=low

  * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
  * Always define _GNU_SOURCE, not only for Linux.
  * Drop SSL2 support (Closes: #589706)

openssl (1.0.0c-1) experimental; urgency=low

  * New upstream version (Closes: #578376)
    - New soname: Rename library packages
    - Drop patch perl-path.diff, not needed anymore
    - Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch
      and CVE-2010-4180.patch: applied upstream.
    - Update Configure for the new fields for the assembler options
      per arch. alpha now makes use of assembler.
  * Move man3 manpages and demos to libssl-doc (Closes: #470594)
  * Drop .pod files from openssl package (Closes: #518167)
  * Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch
  * Stop using BF_PTR2 on (kfreebd-)amd64.
  * Drop debian-arm from the list ...

Read more...

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.