2017/12/13 11:27 emeric@ebr-laptop * released openssl-1.0.2n-flx2.1 * to fix latest CVEs 2017/11/20 10:48 willy@wtap.local * released openssl-1.0.2m-flx2.1 * updated to fix latest CVEs 2017/06/22 13:45 emeric@ebr-laptop * released openssl-1.0.2l-flx2.1 * to fix latest CVEs 2017/01/27 16:32 emeric@ebr-laptop * released openssl-1.0.2k-flx2.1 * update to 1.0.2k to fix latest CVEs 2016/10/10 22:57 willy@wtap.local * released openssl-1.0.2j-flx2.2 * really removed 100-openssl-1.0.2h-double-free.patch which was already removed by 1.0.2i (was only ignored in 1.0.2j-flx2.1) * re-added support for aarch64 (was in 1.0.2i but lost due to a parallel package) 2016/09/29 16:25 emeric@ebr-laptop * released openssl-1.0.2j-flx2.1 * removes 100-openssl-1.0.2h-double-free.patch (fix is now in mainline) 2016/05/04 17:47 willy@wtap.local * released openssl-1.0.2h-flx2.1 * rebased 0004-ssl-change-default-cipher-string-to-AES-RC4-ALL-aNUL.patch * added 100-openssl-1.0.2h-double-free.patch 2016/04/04 17:01 willy@wtap.local * released openssl-1.0.2g-flx2.2 * backported the following fixes from git.openssl.org which address various memory leaks and uncaught malloc() errors : 101-openssl-102g-fix1.patch 102-openssl-102g-fix2.patch 103-openssl-102g-fix3.patch 104-openssl-102g-fix4.patch 2016/03/01 15:46 willy@wtap.local * released openssl-1.0.2g-flx2.1 * updated to openssl-1.0.2g 2016/02/22 19:56 willy@wtap.local * released openssl-1.0.2f-flx2.1 2016/02/22 19:49 willy@wtap.local * updated to openssl-1.0.2f * fixed a build.cfg issue causing a very late build error when FLXARCH is not set (trying to build as generic_32 due to FLX_BITS). * merged the following extra fixes from 1.0.2-stable : 0004-Correct-value-of-DH_CHECK_PUBKEY_INVALID.patch 0005-Add-missing-return-value-checks.patch 0006-Fix-bug-in-nistp224-256-521-where-have_precompute_mu.patch 0007-Add-have_precompute_mult-tests.patch 0013-Fix-pkeyutl-rsautl-empty-encrypt-input-decrypt-outpu.patch 0015-Fix-missing-ok-0-with-locally-blacklisted-CAs.patch 0016-if-no-comparison-function-set-make-sk_sort-no-op.patch 0017-Handle-SSL_shutdown-while-in-init-more-appropriately.patch 0020-perlasm-x86_64-xlate.pl-pass-pure-constants-verbatim.patch 0021-RT-3854-Update-apps-req.patch 0022-modes-ctr128.c-pay-attention-to-ecount_buf-alignment.patch 0023-evp-e_des-3-.c-address-compiler-warnings-fix-formatt.patch 0025-typo.patch 0026-evp-e_des3.c-address-compiler-warning.patch 0028-Fix-double-free-in-DSA-private-key-parsing.patch * merged the gentoo fixes for parallel build : openssl-1.0.2a-parallel-install-dirs.patch openssl-1.0.2a-parallel-obj-headers.patch openssl-1.0.2a-parallel-symlinking.patch openssl-1.0.2d-parallel-build.patch * enabled automatic support for parallel build (FLXPMAKE) when possible 2015/12/03 17:41 willy@wtap.local * released openssl-1.0.2e-flx2.1 * updated to 1.0.1e * fixes CVE-2015-3193/4/5 * removed all obsolete patches * replaced "make install" with "make install_sw" due to a recent breakage during "pod2man" at this stage. 2015/11/02 15:10 willy@wtap.local * released openssl-1.0.2d-flx2.2 2015/11/02 14:25 willy@wtap.local * add the last two fixes to fix null derefs : - Fix-reference-count-on-error-path-in-SSL_new.patch - Fix-a-null-dereference-in-ssl3_free-upon-error.patch * backport the following patches from mainline : - 1000-Sort-sstacklst-correctly.patch - 1001-Exit-on-error-in-ecparam.patch - 1002-Fix-SSL_set_session_ticket_ext-when-used-with-SSLv23.patch - 1003-RT3774-double-free-in-DSA.patch - 1004-use-X9.31-keygen-by-default-in-FIPS-mode.patch - 1005-Clear-BN-mont-values-when-free-ing-it.patch - 1006-GH336-Return-an-exit-code-if-report-fails.patch - 1007-Fix-warning-when-compiling-with-no-ec2m.patch - 1008-RT3990-Fix-include-path.patch - 1009-Fix-seg-fault-with-0-p-val-in-SKE.patch - 1010-Check-for-0-modulus-in-BN_MONT_CTX_set.patch - 1011-Fix-missing-return-value-checks-in-SCTP.patch - 1012-Fix-make-test-seg-fault-with-SCTP-enabled.patch - 1013-Err-isn-t-always-malloc-failure.patch - 1014-Fix-memory-leak-if-setup-fails.patch - 1015-Return-error-for-unsupported-modes.patch - 1016-GH364-Free-memory-on-an-error-path.patch - 1017-Fix-1.0.2-build-break.patch - 1018-Fix-DTLS-session-ticket-renewal.patch - 1019-Fixed-problem-with-multiple-load-unload-of-comp-zlib.patch - 1020-GH354-Memory-leak-fixes.patch - 1021-bntest-don-t-dereference-the-d-array-for-a-zero-BIGN.patch - 1022-BN_mod_exp_mont_consttime-check-for-zero-modulus.patch - 1023-check-bn_new-return-value.patch - 1024-RT-3493-fix-RSA-test.patch - 1025-RT4002-check-for-NULL-cipher-in-p12_crpt.c.patch - 1026-Fix-building-with-OPENSSL_NO_TLSEXT.patch - 1027-Fix-session-resumption.patch - 1028-Fix-DTLS1.2-buffers.patch - 1029-Fix-DTLS1.2-compression.patch - 1030-Better-handling-of-verify-param-id-peername-field.patch - 1031-Cleaner-handling-of-cnid-in-do_x509_check.patch - 1032-Match-SUITEB-strings-at-start-of-cipher-list.patch - 1033-RT3754-check-for-NULL-pointer.patch - 1034-Use-default-field-separator.patch - 1035-Use-memmove-instead-of-memcpy.patch - 1036-Check-for-FIPS-mode-after-loading-config.patch - 1037-Constify-ECDSA_METHOD_new.patch - 1038-d2i-don-t-update-input-pointer-on-failure.patch - 1039-Make-no-psk-compile-without-warnings.patch - 1040-Fix-return-values-when-adding-serverinfo-fails.patch - 1041-RT3757-base64-encoding-bugs.patch - 1042-base64-decode-check-for-high-bit.patch - 1043-Make-sure-OPENSSL_cleanse-checks-for-NULL.patch - 1044-Make-SRP-work-with-www.patch - 1045-Handle-SSL_ERROR_WANT_X509_LOOKUP.patch - 1046-Fix-SRP-memory-leaks.patch - 1047-RT3823-Improve-the-robustness-of-event-logging.patch - 1048-RT3479-Add-UTF8-support-to-BIO_read_filename.patch - 1049-Make-BUF_strndup-read-safe-on-arbitrary-inputs.patch - 1050-BUF_strndup-tidy.patch - 1051-BUF_strdup-and-friends-update-docs.patch - 1052-SRP-memory-leak-fix.patch - 1053-RT2772-accept-empty-SessionTicket.patch - 1054-GH367-use-random-data-if-seed-too-short.patch - 1055-Fix-more-d2i-cases-to-properly-update-the-input-poin.patch - 1056-Validate-ClientHello-extension-field-length.patch - 1057-Change-functions-to-pass-in-a-limit-rather-than-calc.patch - 1058-Don-t-try-and-parse-boolean-type.patch - 1059-Set-flags-to-0-before-calling-BN_with_flags.patch - 1060-Properly-check-return-type-of-DH_compute_key.patch - 1061-Move-BN_CTX_start-call-so-the-error-case-can-always-.patch - 1062-When-ENGINE_add-finds-that-id-or-name-is-missing-act.patch - 1063-Don-t-treat-a-bare-OCTETSTRING-as-DigestInfo-in-int_.patch - 1064-Typo.patch - 1065-RFC5753-compliance.patch - 1066-Fix-self-signed-handling.patch - 1067-Do-not-treat-0-return-value-from-BIO_get_fd-as-error.patch - 1068-Replace-malloc-strlcpy-with-strdup.patch - 1069-Fix-memory-leaks-and-other-mistakes-on-errors.patch - 1070-Set-salt-length-after-the-malloc-has-succeeded.patch - 1071-Check-memory-allocation.patch - 1072-Remove-useless-code.patch - 1073-BN_GF2m_mod_inv-check-bn_wexpand-return-value.patch 2015/09/01 18:31 willy@wtap.local * released openssl-1.0.2d-flx2.1 * port the following patches from 1.0.1 to save up to 34kB of memory per session : 0001-ssl-don-t-allocate-the-write-buffer-during-the-hands.patch 0002-ssl-release-unused-read-buffer-on-incomplete-client-.patch 0003-rand-fix-null-pointer-dereference-caused-by-unchecke.patch 0004-ssl-change-default-cipher-string-to-AES-RC4-ALL-aNUL.patch 2015/07/03 20:39 willy@wtap.local * released openssl-1.0.2c-flx2.1 * upgraded to 1.0.2c (fixes several vulns) * changed ARCH_MAX_ARM from 7 to 5 to fix a build issue in sha256 2015/03/30 20:05 willy@wtap.local * released openssl-1.0.2a-flx2.1 * upgraded to 1.0.2a (fixes several vulnerabilities) 2015/02/04 17:27 willy@wtap.local * released openssl-1.0.2-flx2.1 * upgraded to 1.0.2 * added explicit support for ARM ISA ranges (new in 1.0.2) * temporarily disabled all optimization patches (none applies) 2015/02/02 14:29 willy@wtap.local * released openssl-1.0.1l-flx2.1 * upgraded to 1.0.1l * updated the small-records patch to remove changes to test files * removed fix-segfault-in-verify-param.diff 2014/11/13 14:41 willy@wtap.local * released openssl-1.0.1j-flx2.2 * add the following fixes to handle OOM situations : - 0001-no-wbuf-during-handshake.diff - 0002-release-rbuf-during-handshake.diff - fix-md-init-return-not-checked-cause-null-deref.diff - fix-segfault-in-verify-param.diff - small-records-1.0.1j.patch 2014/10/16 16:06 emeric@ebr-desktop * released openssl-1.0.1j-flx2.1 Fix for CVE-2014-3513 Fix for CVE-2014-3567 Mitigation for CVE-2014-3566 (SSL protocol vulnerability) Fix for CVE-2014-3568 2014/09/11 21:38 willy@wtap.local * released openssl-1.0.1i-flx2.1 2014/09/11 21:25 willy@wtap.local * upgraded to openssl-1.0.1i * fixed build issue for non-x86 archs : linux-elf is 586 for openssl !!! 2014/06/05 17:11 emeric@ebr-desktop * released openssl-1.0.1h-flx2.1 * CVE-2014-0224 fix 2014/05/20 12:00 roberto@pierot * released openssl-1.0.1g-flx2.4 : 0001-Extension-checking-fixes.patch 0002-Fix-double-frees.patch 0003-Fix-use-after-free.patch 0004-Fix-eckey_priv_encode.patch 0005-Double-free-in-i2o_ECPublicKey.patch 0006-fix-coverity-issues-966593-966596.patch 0007-Set-Enveloped-data-version-to-2-if-ktri-version-not-.patch 0008-Initialize-num-properly.patch 0009-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch 0010-evp-prevent-underflow-in-base64-decoding.patch 0011-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch 0012-fix-coverity-issue-966597-error-line-is-not-always-i.patch 0013-PR-3342-fix-resource-leak-coverity-issue-966577.patch 0014-coverity-966576-close-socket-in-error-path.patch 0015-Return-an-error-if-no-recipient-type-matches.patch 0016-safety-check-to-ensure-we-dont-send-out-beyond-the-u.patch 0017-Fix-infinite-loop.-PR-3347.patch 0018-Avoid-out-of-bounds-write-in-SSL_get_shared_ciphers.patch 0019-dgram_sctp_ctrl-authkey-memory-leak.patch 0020-Set-authkey-to-NULL-and-check-malloc-return-value.patch 0021-Replace-manual-ASN1-decoder-with-ASN1_get_object.patch 0022-Correct-the-return-type-on-the-signature-for-X509_ST.patch 0023-Check-sk_SSL_CIPHER_num-after-assigning-sk.patch 0024-Enc-doesn-t-support-AEAD-ciphers.patch 0025-Fix-signed-unsigned-warning.patch 0026-Allow-the-maximum-value.patch 0027-Fix-a-wrong-parameter-count-ERR_add_error_data.patch 2014/05/19 14:57 roberto@pierot * released openssl-1.0.1g-flx2.3 * CVE-2014-0198 openssl bugfix 2014/04/20 15:45 willy@wtap.local * released openssl-1.0.1g-flx2.2 * update to 1.0.1g to fix CVE-2014-0160 2014/02/01 10:02 willy@wtap.local * update to 1.0.1f * use $PKGVER in the download URL 2013/10/09 11:54 roberto@pierot * released openssl-1.0.1e-flx2.1 2013/01/21 15:50 willy@pcw.home.local * released openssl-1.0.1c-flx2.4 * fix build for any arm* platform 2013/01/14 14:08 willy@wtap * released openssl-1.0.1c-flx2.3 2012/12/31 11:33 willy@wtap * restored correct optimizations ; previous patch removed -O3 in favor of -Os which is slower (-2% measured) * removed obsolete flag -DSSL_ALLOW_ADH added by previous patch and which was removed in 0.9.5 in 2000 ! * removed forced options that are wrong on some platforms. The correct optimization options are already implied by the target OS. * added again support for ARM and SPARC which benefit from assembly code * added some error control in do_compile_only() 2012/10/08 10:26 emeric@ebr-laptop * released openssl-1.0.1c-flx2.2 * Fix missing optims and cipher patch. 2012/06/01 11:00 djc@wks-ddc.exosec.local * released openssl-1.0.1c-flx2.1 2011/10/07 11:34 willy@wtap * released openssl-0.9.8r-flx2.2 * use the arch-specific objdump utility * default architecture is not necessarily x86 2011/07/11 13:05 wlallemand@wlallemand-desktop * released openssl-0.9.8r-flx1.1 * upgrade to 0.9.8r * i586 and x86_64 packages 2010/11/30 15:32 emeric@ebr-laptop * released openssl-0.9.8p-flx1.1