--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: stretch-pu: package openssl/1.1.0f-3+deb9u2
- From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Date: Tue, 4 Sep 2018 00:12:56 +0200
- Message-id: <20180903221255.rj4n6spz3tv6ttax@breakpoint.cc>
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
I prepared an update for OpenSSL to synchronize it with upstream's
latest stable release (i). The i release is an OpenSSL stable release
within the 1.1.0 series with no additional features. It contains only
fixes which don't fix anything security related but still qualify as
something that should be fixed with a stable release.
The BTS bugs #903566 and #907457 are two examples which were raised
within Debian.
As part of my QA I rebuilt all openssl's and libssl1.1 reverse
dependencies [0]. Some packages (like nova) failed to build against this
and current (currently Stretch) openssl due its testsuite and it might
have something todo with by sbuild setup since it succeeded in the
"reproducible builds" build. However, openbsc also FTBFS in
"reproducible builds". Everything that FTBFS against that i also FTBFS
against the current openssl in my setup except for one package.
The package python-cryptography fails to build due to an API change of
BIO_callback_ctrl() in OpenSSL. While is a no-no in a stable release, it
has been explained [1] that the function / callback was always used with
a different prototype. I fixed this by removing the function / prototype
from the python wrapper while upstream removed the almost all BIO
related wrappers [2].
I would submit a pu bugs for python-cryptography if there is nothing
wrong with this one.
I am attaching a diff of the debian/ folder of the update (the openssl
part is replaced with the new version). The whole diff is 24MiB in size
and can be fetched from [4] compressed.
If the release team would like some additional tests, please let me
know.
[0] https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-1.1.0i/
[1] https://github.com/openssl/openssl/pull/4493#discussion_r143505277
[2] https://github.com/pyca/cryptography/pull/4220
[3] https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-python-cryptography/
[4] https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-1.1.0i/ossl_1.1.0f-3deb9u2_to_1.1.0i.patch.xz
Sebastian
diff --git a/debian/changelog b/debian/changelog
index 3c231b9b2cf9a..886d06e39674d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+openssl (1.1.0i-1~deb9u1) stretch; urgency=medium
+
+ * Import 1.1.0i
+ - Fix segfault ERR_clear_error (Closes: #903566)
+ - Fix commandline option for CAengine (Closes: #907457)
+ * Abort the build if symbols are discovered which are not part of the
+ symbols file.
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 03 Sep 2018 23:59:02 +0200
+
openssl (1.1.0f-3+deb9u2) stretch-security; urgency=high
* CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols
index 9d70f3748ca03..84875cff36446 100644
--- a/debian/libssl1.1.symbols
+++ b/debian/libssl1.1.symbols
@@ -4,6 +4,9 @@ libcrypto.so.1.1 libssl1.1 #MINVER#
*@OPENSSL_1_1_0c 1.1.0c
*@OPENSSL_1_1_0d 1.1.0d
*@OPENSSL_1_1_0f 1.1.0f
+ *@OPENSSL_1_1_0g 1.1.0g
+ *@OPENSSL_1_1_0h 1.1.0h
+ *@OPENSSL_1_1_0i 1.1.0i
libssl.so.1.1 libssl1.1 #MINVER#
*@OPENSSL_1_1_0 1.1.0
*@OPENSSL_1_1_0d 1.1.0d
diff --git a/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch b/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
deleted file mode 100644
index 835b95d00696e..0000000000000
diff --git a/debian/patches/CVE-2017-3735.patch b/debian/patches/CVE-2017-3735.patch
deleted file mode 100644
index d152ddd387949..0000000000000
diff --git a/debian/patches/CVE-2017-3736.patch b/debian/patches/CVE-2017-3736.patch
deleted file mode 100644
index e60063fb65544..0000000000000
diff --git a/debian/patches/Fix-a-Proxy-race-condition.patch b/debian/patches/Fix-a-Proxy-race-condition.patch
deleted file mode 100644
index a2b72b8b79f66..0000000000000
diff --git a/debian/patches/Fix-race-condition-in-TLSProxy.patch b/debian/patches/Fix-race-condition-in-TLSProxy.patch
deleted file mode 100644
index 24b05c7e14139..0000000000000
diff --git a/debian/patches/Limit-ASN.1-constructed-types-recursive-definition-d.patch b/debian/patches/Limit-ASN.1-constructed-types-recursive-definition-d.patch
deleted file mode 100644
index 45e0feb25dc07..0000000000000
diff --git a/debian/patches/bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch b/debian/patches/bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch
deleted file mode 100644
index dbd3573187081..0000000000000
diff --git a/debian/patches/c_rehash-compat.patch b/debian/patches/c_rehash-compat.patch
index de24948e8dfac..199480af27e4d 100644
--- a/debian/patches/c_rehash-compat.patch
+++ b/debian/patches/c_rehash-compat.patch
@@ -1,15 +1,16 @@
-From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 21 Apr 2010 15:52:10 +0200
Subject: [PATCH] also create old hash for compatibility
---
- tools/c_rehash.in | 20 ++++++++++++++------
+ tools/c_rehash.in | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index e658222..c9d477c 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
-@@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}
+@@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
my $errorcount = 0;
my $openssl = $ENV{OPENSSL} || "openssl";
my $pwd;
diff --git a/debian/patches/debian-targets.patch b/debian/patches/debian-targets.patch
index 7b91b32fa17d3..48d95c9d7ad11 100644
--- a/debian/patches/debian-targets.patch
+++ b/debian/patches/debian-targets.patch
@@ -1,7 +1,15 @@
----
- Configurations/20-debian.conf | 137 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 137 insertions(+)
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sat, 1 Sep 2018 22:20:24 +0200
+Subject: debian-targets
+---
+ Configurations/20-debian.conf | 137 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 137 insertions(+)
+ create mode 100644 Configurations/20-debian.conf
+
+diff --git a/Configurations/20-debian.conf b/Configurations/20-debian.conf
+new file mode 100644
+index 0000000..c56a61a
--- /dev/null
+++ b/Configurations/20-debian.conf
@@ -0,0 +1,137 @@
diff --git a/debian/patches/man-section.patch b/debian/patches/man-section.patch
index 0417b29756b64..487063f597b8f 100644
--- a/debian/patches/man-section.patch
+++ b/debian/patches/man-section.patch
@@ -1,12 +1,17 @@
----
- Configurations/unix-Makefile.tmpl | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: man-section
-Index: openssl-1.1.0f/Configurations/unix-Makefile.tmpl
-===================================================================
---- openssl-1.1.0f.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl
-@@ -164,7 +164,8 @@ HTMLDIR=$(DOCDIR)/html
+---
+ Configurations/unix-Makefile.tmpl | 6 ++++--
+ util/process_docs.pl | 3 ++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 034d93e..9af91c6 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -167,7 +167,8 @@ HTMLDIR=$(DOCDIR)/html
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -16,7 +21,7 @@ Index: openssl-1.1.0f/Configurations/unix-Makefile.tmpl
HTMLSUFFIX=html
-@@ -554,7 +555,8 @@ install_man_docs:
+@@ -562,7 +563,8 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@echo "*** Installing manpages"
$(PERL) $(SRCDIR)/util/process_docs.pl \
@@ -26,11 +31,11 @@ Index: openssl-1.1.0f/Configurations/unix-Makefile.tmpl
uninstall_man_docs:
@echo "*** Uninstalling manpages"
-Index: openssl-1.1.0f/util/process_docs.pl
-===================================================================
---- openssl-1.1.0f.orig/util/process_docs.pl
-+++ openssl-1.1.0f/util/process_docs.pl
-@@ -36,6 +36,7 @@ GetOptions(\%options,
+diff --git a/util/process_docs.pl b/util/process_docs.pl
+index f7daef0..5209c3e 100755
+--- a/util/process_docs.pl
++++ b/util/process_docs.pl
+@@ -38,6 +38,7 @@ GetOptions(\%options,
'type=s', # The result type, 'man' or 'html'
'suffix:s', # Suffix to add to the extension.
# Only used with type=man
@@ -38,12 +43,12 @@ Index: openssl-1.1.0f/util/process_docs.pl
'remove', # To remove files rather than writing them
'dry-run|n', # Only output file names on STDOUT
'debug|D+',
-@@ -98,7 +99,7 @@ foreach my $subdir (keys %{$options{subd
+@@ -100,7 +101,7 @@ foreach my $subdir (keys %{$options{subdir}}) {
my $name = uc $podname;
my $suffix = { man => ".$podinfo{section}".($options{suffix} // ""),
html => ".html" } -> {$options{type}};
- my $generate = { man => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"",
+ my $generate = { man => "pod2man --name=$name --section=$podinfo{section}$options{mansection} --center=OpenSSL --release=$config{version} \"$podpath\"",
- html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=apps:crypto:ssl \"--infile=$podpath\" \"--title=$podname\""
+ html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=apps:crypto:ssl \"--infile=$podpath\" \"--title=$podname\" --quiet"
} -> {$options{type}};
my $output_dir = catdir($options{destdir}, "man$podinfo{section}");
diff --git a/debian/patches/no-symbolic.patch b/debian/patches/no-symbolic.patch
index f8daf2f8ce6c7..e1c05b14d5cc9 100644
--- a/debian/patches/no-symbolic.patch
+++ b/debian/patches/no-symbolic.patch
@@ -1,15 +1,21 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sun, 5 Nov 2017 15:09:09 +0100
+Subject: no-symbolic
+
---
- Makefile.shared | 2 +-
+ Makefile.shared | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Makefile.shared b/Makefile.shared
+index 4f9550a..63f7e59 100644
--- a/Makefile.shared
+++ b/Makefile.shared
-@@ -164,7 +164,7 @@ LINK_SO_SHLIB_UNPACKED= \
+@@ -154,7 +154,7 @@ LINK_SO_SHLIB_UNPACKED= \
DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
DO_GNU_SO_COMMON=\
-- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$(SHLIBNAME_FULL)"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$(SHLIBNAME_FULL)"
DO_GNU_DSO=\
- SHLIB=$(LIBNAME).so; \
- SHLIB_SOVER=; \
+ $(DO_GNU_SO_COMMON)
+ DO_GNU_SO=\
diff --git a/debian/patches/padlock_conf.patch b/debian/patches/padlock_conf.patch
deleted file mode 100644
index da343d0f04e4b..0000000000000
diff --git a/debian/patches/pariscid.pl-fix-nasty-typo-in-CRYPTO_memcmp.patch b/debian/patches/pariscid.pl-fix-nasty-typo-in-CRYPTO_memcmp.patch
deleted file mode 100644
index 2ade9b0ebb9a5..0000000000000
diff --git a/debian/patches/pic.patch b/debian/patches/pic.patch
index 0a12a8ac22110..9c5b09fa4b9e5 100644
--- a/debian/patches/pic.patch
+++ b/debian/patches/pic.patch
@@ -1,10 +1,16 @@
+From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
+Date: Sat, 1 Sep 2018 22:20:24 +0200
+Subject: pic
+
---
- crypto/des/asm/desboth.pl | 17 ++++++++++++++---
- crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++----
- crypto/perlasm/x86gas.pl | 16 ++++++++++++++++
- crypto/x86cpuid.pl | 10 +++++-----
+ crypto/des/asm/desboth.pl | 17 ++++++++++++++---
+ crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++----
+ crypto/perlasm/x86gas.pl | 16 ++++++++++++++++
+ crypto/x86cpuid.pl | 10 +++++-----
4 files changed, 55 insertions(+), 12 deletions(-)
+diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl
+index 76759fb..14bd708 100644
--- a/crypto/des/asm/desboth.pl
+++ b/crypto/des/asm/desboth.pl
@@ -23,6 +23,11 @@ sub DES_encrypt3
@@ -44,6 +50,8 @@
&stack_pop(3);
&mov($L,&DWP(0,"ebx","",0));
+diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
+index ad79b24..c6fd07c 100644
--- a/crypto/perlasm/cbc.pl
+++ b/crypto/perlasm/cbc.pl
@@ -129,7 +129,11 @@ sub cbc
@@ -98,6 +106,8 @@
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #
+diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl
+index 2c8fce0..467a998 100644
--- a/crypto/perlasm/x86gas.pl
+++ b/crypto/perlasm/x86gas.pl
@@ -170,6 +170,7 @@ sub ::file_end
@@ -108,7 +118,7 @@
}
push(@out,$initseg) if ($initseg);
}
-@@ -228,8 +229,23 @@ sub ::initseg
+@@ -228,8 +229,23 @@ ___
elsif ($::elf)
{ $initseg.=<<___;
.section .init
@@ -132,6 +142,8 @@
}
elsif ($::coff)
{ $initseg.=<<___; # applies to both Cygwin and Mingw
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index 4622a9f..07b5bd7 100644
--- a/crypto/x86cpuid.pl
+++ b/crypto/x86cpuid.pl
@@ -18,6 +18,8 @@ open OUT,">$output";
@@ -143,7 +155,7 @@
&function_begin("OPENSSL_ia32_cpuid");
&xor ("edx","edx");
&pushf ();
-@@ -165,9 +167,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
&set_label("nocpuid");
&function_end("OPENSSL_ia32_cpuid");
@@ -154,7 +166,7 @@
&xor ("eax","eax");
&xor ("edx","edx");
&picmeup("ecx","OPENSSL_ia32cap_P");
-@@ -181,7 +181,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
# This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
# but it's safe to call it on any [supported] 32-bit platform...
# Just check for [non-]zero return value...
@@ -163,7 +175,7 @@
&picmeup("ecx","OPENSSL_ia32cap_P");
&bt (&DWP(0,"ecx"),4);
&jnc (&label("nohalt")); # no TSC
-@@ -248,7 +248,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
&ret ();
&function_end_B("OPENSSL_far_spin");
diff --git a/debian/patches/series b/debian/patches/series
index 9f35616ea2296..445aa7556630b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,12 +3,3 @@ man-section.patch
no-symbolic.patch
pic.patch
c_rehash-compat.patch
-#padlock_conf.patch
-0001-Only-release-thread-local-key-if-we-created-it.patch
-CVE-2017-3735.patch
-CVE-2017-3736.patch
-Fix-a-Proxy-race-condition.patch
-Fix-race-condition-in-TLSProxy.patch
-bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch
-Limit-ASN.1-constructed-types-recursive-definition-d.patch
-pariscid.pl-fix-nasty-typo-in-CRYPTO_memcmp.patch
diff --git a/debian/rules b/debian/rules
index 5d89fd1e0c3d4..a84167cd84d29 100755
--- a/debian/rules
+++ b/debian/rules
@@ -138,7 +138,7 @@ endif
override_dh_makeshlibs:
#dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4
- dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines
+ dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines -- -c4
# XXX: This needs gets set perl:any by dh_perl which is correct, but
# that breaks debootstrap in jessie (the current stable). This hack
# could be removed once stretch is stable and contains a fixed
--- End Message ---