openssl (3.4.1-1ubuntu3) plucky; urgency=medium

  * Cherry-pick additional 3.4 fixes up to April 2:
    - post-3.4.1/*: refresh and add new upstream patches from git

 -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 03 Apr 2025 10:48:37 +0200

openssl (3.4.1-1ubuntu2) plucky; urgency=medium

  * Pull patches between 3.4.1 and 2025/02/17:
    - post-3.4.1/*: add upstream patches from git
    - SPARC-assembly-Don-t-file-aes-cbc-on-T4-with-small-sizes.patch:
      remove as it's included in the upstream patches

 -- Adrien Nader <adrien.nader@canonical.com>  Tue, 18 Mar 2025 10:07:41 +0100

openssl (3.4.1-1ubuntu1) plucky; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Use perl:native in the autopkgtest for installability on i386.
    - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
    - Disable LTO with which the codebase is generally incompatible (LP: #2058017)
    - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
    - Don't enable or package anything FIPS (LP: #2087955)
    - patch: crypto: Add kernel FIPS mode detection
    - patch: crypto: Automatically use the FIPS provider...
    - patch: apps/speed: Omit unavailable algorithms in FIPS mode
    - patch: apps: pass -propquery arg to the libctx DRBG fetches
    - patch: test: Ensure encoding runs with the correct context...
    - patch: Add Ubuntu-specific defines to help FIPS certification (LP: #2073991)
      + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
      + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
  * Remove now-unneeded work-around for m2crypto as discussed in #1091133
  * patch: add CPACF instruction usage for AES-XTS (LP: #2096810)

 -- Adrien Nader <adrien.nader@canonical.com>  Wed, 12 Feb 2025 10:21:22 +0100

openssl (3.4.1-1) unstable; urgency=medium

  * Import 3.4.1
  - CVE-2024-12797 (RFC7250 handshakes with unauthenticated servers don't
    abort as expected) (Closes: #1095765).
  - CVE-2024-13176 (Timing side-channel in ECDSA signature computation)
    (Closes: #1094027).
  - Compile on LoongArch again (Closes: #1092307).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 11 Feb 2025 21:30:30 +0100

openssl (3.4.0-2) unstable; urgency=medium

  * Disable padlockeng on non-x86 architectures.
  * Upload to unstable.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 06 Jan 2025 19:01:42 +0100

openssl (3.4.0-1ubuntu2) plucky; urgency=medium

  * d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch:
    Extend the patch to print the error encounted when a fallback
    provider fails loading, e.g. due to FIPS auto-loading (LP: #2066990)
  * d/p/Revert-When-defining-ossl_ssize_t-ssize_t-remember-t.patch:
    Work-around SWIG using different feature flag defines than GCC and
    parsing sys/select.h differently. (LP: #2091883)

 -- Adrien Nader <adrien.nader@canonical.com>  Thu, 19 Dec 2024 16:12:42 +0100

openssl (3.4.0-1ubuntu1) plucky; urgency=medium

  * Merge with Debian unstable (LP: #2044795). Remaining changes:
    - Use perl:native in the autopkgtest for installability on i386.
    - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
    - Disable LTO with which the codebase is generally incompatible (LP: #2058017)
    - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
    - patch: crypto: Add kernel FIPS mode detection
    - patch: crypto: Automatically use the FIPS provider...
    - patch: apps/speed: Omit unavailable algorithms in FIPS mode
    - patch: apps: pass -propquery arg to the libctx DRBG fetches
    - patch: test: Ensure encoding runs with the correct context...
    - patch: Add Ubuntu-specific defines to help FIPS certification (LP: #2073991)
      + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
      + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE
    Dropped, merged upstream:
    - debian/patches/CVE-2024-6119.patch: avoid type errors in EAI-related
      name check logic in crypto/x509/v3_utl.c, test/*.
  * Don't enable or package anything FIPS (LP: #2087955)

 -- Adrien Nader <adrien.nader@canonical.com>  Fri, 29 Nov 2024 11:19:56 +0100

openssl (3.4.0-1) experimental; urgency=medium

  * Import 3.4.0
  - CVE-2024-9143 (Low-level invalid GF(2^m) parameters lead to OOB memory
    access) (Closes: #1085378).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 23 Oct 2024 21:18:43 +0200

openssl (3.4.0~~beta1-2) experimental; urgency=medium

  * Add a patch to avoid using other memory allocations if custom malloc is
    provided.
  * Add a patch to check length in the SPARC assembly implementation of
    AES-CBC.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 13 Oct 2024 22:07:10 +0200

openssl (3.4.0~~beta1-1) experimental; urgency=medium

  * Import 3.4.0-beta1

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 07 Oct 2024 23:03:28 +0200

openssl (3.3.2-1) unstable; urgency=medium

  * Import 3.3.2.
    - CVE-2024-6119 (Possible denial of service in X.509 name checks).
    - CVE-2024-5535 (SSL_select_next_proto buffer overread)
      (Closes: #1074487).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 03 Sep 2024 21:43:24 +0200

openssl (3.3.1-7) unstable; urgency=medium

  * Make libssl3t64 depend on openssl-provider-legacy (See further development
    in #965041).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 19 Aug 2024 23:38:33 +0200

openssl (3.3.1-6) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Enable ec_nistp_64_gcc_128 on arm64, ppc64el, riscv64. Initially suggested
    by Joel Stanley.
  * Add a "prefix" for pkg-config and cmake exporter
    (Closes: #1078509, #1078020).
  * Add Breaks/ Replaces to the legacy provider also against libssl3
    (Closes: #1078551).
  * Upload to unstable.

  [ Debian Janitor ]
  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
    Repository-Browse.
  * Fix day-of-week for changelog entries 0.9.8a-7, 0.9.8a-6, 0.9.8a-4.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 13 Aug 2024 21:39:36 +0200

openssl (3.3.1-5) experimental; urgency=medium

  * Split the legacy provider into its own package (Closes: #965041).
  * Add the FIPS provider (Closes: #1050210).
  * Reintroduce the provider section back in the default openssl.cnf. This is
    was to keep compatibility with the openssl 1.1 series. Adding makes it
    easier to add/ enable provides such as fips.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 04 Aug 2024 23:22:06 +0200

openssl (3.3.1-2ubuntu2) oracular; urgency=medium

  * SECURITY UPDATE: Possible denial of service in X.509 name checks
    - debian/patches/CVE-2024-6119.patch: avoid type errors in EAI-related
      name check logic in crypto/x509/v3_utl.c, test/*.
    - CVE-2024-6119
  * Add Ubuntu-specific defines to help FIPS certification (LP: #2073991)
    - UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH
    - UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE

 -- Adrien Nader <adrien.nader@canonical.com>  Wed, 11 Sep 2024 16:09:42 +0200

openssl (3.3.1-2ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2044795). Remaining changes:
    - Use perl:native in the autopkgtest for installability on i386.
    - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl
    - Disable LTO with which the codebase is generally incompatible (LP #2058017)
    - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins
    - patch: crypto: Add kernel FIPS mode detection
    - patch: crypto: Automatically use the FIPS provider...
    - patch: apps/speed: Omit unavailable algorithms in FIPS mode
    - patch: apps: pass -propquery arg to the libctx DRBG fetches
    - patch: test: Ensure encoding runs with the correct context...
    - SECURITY UPDATE: crash or memory disclosure via SSL_select_next_proto
      - debian/patches/CVE-2024-5535*.patch: validate provided client list in
        ssl/ssl_lib.c.
      - CVE-2024-5535

 -- Simon Chopin <schopin@ubuntu.com>  Mon, 12 Aug 2024 13:49:56 +0200

openssl (3.3.1-2) unstable; urgency=medium

  * Upload to unstable.
  * Add support for hurd-amd64, patch by Samuel Thibault (Closes: #1076324).
  * Use the static archive from the shared build.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 03 Aug 2024 16:17:50 +0200

openssl (3.3.1-1) experimental; urgency=medium

  * Import 3.3.1.
    - CVE-2024-4603 (Excessive time spent checking DSA keys and parameters)
      (Closes: #1071972).
    - CVE-2024-4741 (Use After Free with SSL_free_buffers)
      (Closes: #1072113).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 04 Jun 2024 18:37:30 +0200

openssl (3.3.0-1) experimental; urgency=medium

  * Import 3.3.0.
    - CVE-2024-2511 (Unbounded memory growth with session handling in TLSv1.3)
      (Closes: #1068658).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 11 Apr 2024 21:49:45 +0200

openssl (3.3.0~beta1-1) experimental; urgency=medium

  * Import 3.3.0-beta1.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 05 Apr 2024 23:09:03 +0200

openssl (3.2.2-1ubuntu3) oracular; urgency=medium

  * Added extra commits to previous upload to fix FTBFS in quic tests
    - debian/patches/CVE-2024-5535-2.patch: more correctly handle a
      selected_len of 0 when processing NPN in ssl/statem/extensions_clnt.c.
    - debian/patches/CVE-2024-5535-3.patch: use correctly formatted ALPN
      data in tserver in ssl/quic/quic_tserver.c.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 02 Aug 2024 07:41:40 -0400

openssl (3.2.2-1ubuntu2) oracular; urgency=medium

  * SECURITY UPDATE: crash or memory disclosure via SSL_select_next_proto
    - debian/patches/CVE-2024-5535.patch: validate provided client list in
      ssl/ssl_lib.c.
    - CVE-2024-5535

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 31 Jul 2024 13:16:18 -0400

openssl (3.2.2-1ubuntu1) oracular; urgency=medium

  * Merge 3.2.2-1 from Debian unstable
    - Remaining changes:
      + Symlink changelog.Debian.gz and copyright.gz from libssl-dev and
        openssl to the ones in libssl3t64
      + Use perl:native in the autopkgtest for installability on i386.
      + Disable LTO with which the codebase is generally incompatible
        (LP: #2058017)
      + Add fips-mode detection and adjust defaults when running in fips mode
  * The changelog.gz symlink was broken (LP: #1297025)
  * The copyright symlink was broken (LP: #2067672)
  * Default configuration includes two paths:
    - /var/lib/crypto-config/profiles/current/openssl.conf.d
    - /etc/ssl/openssl.conf.d
    First one is to read configuration through the crypto-config framework.
    Second one is for customization by sysadmin.

 -- Adrien Nader <adrien.nader@canonical.com>  Mon, 01 Jul 2024 17:04:32 +0200

openssl (3.2.1-3ubuntu1) oracular; urgency=medium

  * Merge 3.2.1-3 from Debian unstable (LP: #2067384)
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + Use perl:native in the autopkgtest for installability on i386.
      + Disable LTO with which the codebase is generally incompatible
        (LP: #2058017)
      + Add fips-mode detection and adjust defaults when running in fips mode
    - Dropped changes:
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile which has been
        integrated
      + Patches that forbade TLS < 1.2 @SECLEVEL=2 which is now upstream
        behaviour:
        - skip_tls1.1_seclevel3_tests.patch
        - tests-use-seclevel-1.patch
        - tls1.2-min-seclevel2.patch
      + Revert the provider removal from the default configuration as there's
        no point in carrying the delta (will see if Debian drops the patch)
      + d/p/intel/*: was a backport from upstream changes
      + d/p/CVE-*: was a backport from upstream changes

 -- Adrien Nader <adrien.nader@canonical.com>  Tue, 28 May 2024 14:30:44 +0200

openssl (3.2.1-3) unstable; urgency=medium

  * Upload to unstable.
  * Correct prvious security level in NEWS file (Closes: #1066116).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 04 Apr 2024 22:00:04 +0200

openssl (3.2.1-2) experimental; urgency=medium

  * Disable brotli and enable zlib for certificate compression.
  * Update to latest openssl-3.2 branch.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 22 Feb 2024 21:41:18 +0100

openssl (3.2.1-1.1~exp1) experimental; urgency=medium

  * Non-maintainer upload.
  * Rename libraries for 64-bit time_t transition.

 -- Steve Langasek <vorlon@debian.org>  Mon, 19 Feb 2024 07:33:51 +0000

openssl (3.2.1-1) experimental; urgency=medium

  * Import 3.2.1
   - CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
   - CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
     (Closes: #1060858).
   - CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
     PowerPC) (Closes: #1060347).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 03 Feb 2024 17:23:00 +0100

openssl (3.2.0-2) experimental; urgency=medium

  * Use generic target for riscv64.
  * Update to latest openssl-3.2 branch.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 14 Dec 2023 21:13:53 +0100

openssl (3.2.0-1) experimental; urgency=medium

  * Import 3.2.0
  * Enable zstd, brotli and for certificate compression.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 26 Nov 2023 13:37:14 +0100

openssl (3.1.4-2) unstable; urgency=medium

  * Invoke clean up from the openssl binary as a temporary workaround to avoid
    a crash in libp11/SoftHSM engine (Closes: #1054546).
  * CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
    parameter value) (Closes: #1055473).
  * Upload to unstable.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 25 Nov 2023 21:35:59 +0100

openssl (3.1.4-1) experimental; urgency=medium

  * Import 3.1.4
   - CVE-2023-5363 (Incorrect cipher key and IV length processing).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 24 Oct 2023 21:58:49 +0200

openssl (3.1.3-1) experimental; urgency=medium

  * Import 3.1.3

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 19 Sep 2023 18:57:49 +0200

openssl (3.1.2-1) experimental; urgency=medium

  * Import 3.1.2
   - CVE-2023-2975 (AES-SIV implementation ignores empty associated data
     entries) (Closes: #1041818).
   - CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
     (Closes: #1041817).
   - CVE-2023-3817 (Excessive time spent checking DH q parameter value).
   - Drop bc and m4 from B-D.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 01 Aug 2023 22:51:25 +0200

openssl (3.1.1-1) experimental; urgency=medium

  * Import 3.1.1
    - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
      Constraints) (Closes: #1034720).
    - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
      silently ignored).
    - CVE-2023-0466 (Certificate policy check not enabled).
    - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
    - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
    - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
    - Add new symbol.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 30 May 2023 19:46:00 +0200

openssl (3.1.0-1) experimental; urgency=medium

  * Import 3.1.0
  * Add new symbols.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 06 May 2023 12:11:09 +0200

openssl (3.0.13-0ubuntu4) oracular; urgency=medium

  * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090)
    - debian/patches/openssl-pkcs1-implicit-rejection.patch:
      Return deterministic random output instead of an error in case
      there is a padding error in crypto/cms/cms_env.c,
      crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c,
      crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c,
      crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in,
      doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod,
      doc/man3/EVP_PKEY_decrypt.pod,
      doc/man3/RSA_padding_add_PKCS1_type_1.pod,
      doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod,
      include/crypto/rsa.h, include/openssl/core_names.h,
      include/openssl/rsa.h,
      providers/implementations/asymciphers/rsa_enc.c and
      test/recipes/30-test_evp_data/evppkey_rsa_common.txt.

 -- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>  Wed, 15 May 2024 09:54:00 +0200

openssl (3.0.13-0ubuntu3) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 31 Mar 2024 06:42:03 +0000

openssl (3.0.13-0ubuntu2) noble; urgency=medium

  [ Tobias Heider ]
  * Add fips-mode detection and adjust defaults when running in fips mode
    (LP: #2056593):
    - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch:
      Detect if kernel fips mode is enabled
    - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch:
      Load FIPS provider if running in FIPS mode
    - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch:
      Limit openssl-speed to FIPS compliant algorithms when running in FIPS mode
    - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch
      Make sure DRBG respects query properties
    - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch:
      Make sure encoding runs with correct library context and provider

  [ Adrien Nader ]
  * Re-enable intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch
    (LP: #2030784)
    Thanks Bun K Tan and Dan Zimmerman
  * Disable LTO with which the codebase is generally incompatible (LP: #2058017)

 -- Adrien Nader <adrien.nader@canonical.com>  Fri, 15 Mar 2024 09:46:33 +0100

openssl (3.0.13-0ubuntu1) noble; urgency=medium

  * Import 3.0.13
    - Drop security patches :
      + CVE-2023-5363-1.patch
      + CVE-2023-5363-2.patch
      + CVE-2023-5678.patch
      + CVE-2023-6129.patch
      + CVE-2023-6237.patch
      + CVE-2024-0727.patch
    - Skip intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch
      as it causes testsuite failures.

 -- Adrien Nader <adrien.nader@canonical.com>  Fri, 08 Mar 2024 10:47:35 +0100

openssl (3.0.10-1ubuntu5) noble; urgency=medium

  * Rename libraries for 64-bit time_t transition.  Closes: #1064264

 -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 03 Mar 2024 20:47:45 -0800

openssl (3.0.10-1ubuntu4) noble; urgency=medium

  * SECURITY UPDATE: Excessive time spent in DH check / generation with
    large Q parameter value
    - debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and
      DH_generate_key() safer yet in crypto/dh/dh_check.c,
      crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt,
      include/crypto/dherr.h, include/openssl/dh.h,
      include/openssl/dherr.h.
    - CVE-2023-5678
  * SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers
    on PowerPC
    - debian/patches/CVE-2023-6129.patch: fix vector register clobbering in
      crypto/poly1305/asm/poly1305-ppc.pl.
    - CVE-2023-6129
  * SECURITY UPDATE: Excessive time spent checking invalid RSA public keys
    - debian/patches/CVE-2023-6237.patch: limit the execution time of RSA
      public key check in crypto/rsa/rsa_sp800_56b_check.c,
      test/recipes/91-test_pkey_check.t,
      test/recipes/91-test_pkey_check_data/rsapub_17k.pem.
    - CVE-2023-6237
  * SECURITY UPDATE: PKCS12 Decoding crashes
    - debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo
      data can be NULL in crypto/pkcs12/p12_add.c,
      crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c,
      crypto/pkcs7/pk7_mime.c.
    - CVE-2024-0727

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 31 Jan 2024 13:03:16 -0500

openssl (3.0.10-1ubuntu3) noble; urgency=medium

  * Drop most of d/libssl3.postinst, keeping only the reboot notification on
    servers. The dropped code was actually unreachable since around Ubuntu
    18.04, except for debconf which was loaded but not used.
  * Remove template for debconf

 -- Adrien Nader <adrien.nader@canonical.com>  Mon, 18 Sep 2023 16:06:16 +0200

openssl (3.0.10-1ubuntu2.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Incorrect cipher key and IV length processing
    - debian/patches/CVE-2023-5363-1.patch: process key length and iv
      length early if present in crypto/evp/evp_enc.c.
    - debian/patches/CVE-2023-5363-2.patch: add unit test in
      test/evp_extra_test.c.
    - CVE-2023-5363

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 13 Oct 2023 07:51:05 -0400

openssl (3.0.10-1ubuntu2) mantic; urgency=medium

  * d/p/intel/*: cherry-pick AVX512 patches for recent Intel CPUs (LP: #2030784)

 -- Simon Chopin <schopin@ubuntu.com>  Tue, 08 Aug 2023 17:51:58 +0200

openssl (3.0.10-1ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 02 Aug 2023 08:59:28 +0200

openssl (3.0.10-1) unstable; urgency=medium

  * Import 3.0.10
   - CVE-2023-2975 (AES-SIV implementation ignores empty associated data
     entries) (Closes: #1041818).
   - CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
     (Closes: #1041817).
   - CVE-2023-3817 (Excessive time spent checking DH q parameter value).
   - Drop bc and m4 from B-D.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 01 Aug 2023 22:00:05 +0200

openssl (3.0.9-1ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 12 Jun 2023 11:19:44 +0200

openssl (3.0.9-1) unstable; urgency=medium

  * Import 3.0.9
   - CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
     Constraints) (Closes: #1034720).
   - CVE-2023-0465 (Invalid certificate policies in leaf certificates are
     silently ignored).
   - CVE-2023-0466 (Certificate policy check not enabled).
   - Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption).
   - CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).
   - CVE-2023-1255 (Input buffer over-read in AES-XTS implementation on 64 bit ARM).
   - Add new symbol.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 30 May 2023 18:12:36 +0200

openssl (3.0.8-1ubuntu3) mantic; urgency=medium

  * SECURITY UPDATE: DoS in AES-XTS cipher decryption
    - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in
      crypto/aes/asm/aesv8-armx.pl.
    - CVE-2023-1255
  * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
    - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
      IDENTIFIERs that OBJ_obj2txt will translate in
      crypto/objects/obj_dat.c.
    - CVE-2023-2650
  * Replace CVE-2022-4304 fix with improved version
    - debian/patches/revert-CVE-2022-4304.patch: remove previous fix.
    - debian/patches/CVE-2022-4304.patch: use alternative fix in
      crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
      crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 24 May 2023 13:04:49 -0400

openssl (3.0.8-1ubuntu2) mantic; urgency=medium

  * Manual reupload from lunar-security to mantic-proposed pocket, due to
    LP failing to copy it

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 03 May 2023 10:49:04 +0200

openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium

  * SECURITY UPDATE: excessive resource use when verifying policy constraints
    - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
      in a policy tree (the default limit is set to 1000 nodes).
    - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
      resource overuse.
    - debian/patches/CVE-2023-0464-3.patch: disable the policy tree
      exponential growth test conditionally.
    - CVE-2023-0464
  * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
    - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
      is checked even in leaf certs.
    - debian/patches/CVE-2023-0465-2.patch: generate some certificates with
      the certificatePolicies extension.
    - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
    - CVE-2023-0466
  * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
    not enabled as documented
    - debian/patches/CVE-2023-0466.patch: fix documentation of
      X509_VERIFY_PARAM_add0_policy().
    - CVE-2023-0466

 -- Camila Camargo de Matos <camila.camargodematos@canonical.com>  Mon, 24 Apr 2023 07:52:33 -0300

openssl (3.0.8-1ubuntu1) lunar; urgency=medium

  * Merge 3.0.8 from Debian testing (LP: #2006954)
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.

 -- Adrien Nader <adrien.nader@canonical.com>  Mon, 20 Feb 2023 16:10:19 +0100

openssl (3.0.8-1) unstable; urgency=medium

  * Import 3.0.8
    - CVE-2023-0401 (NULL dereference during PKCS7 data verification).
    - CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
    - CVE-2023-0217 (NULL dereference validating DSA public key).
    - CVE-2023-0216 (Invalid pointer dereference in d2i_PKCS7 functions).
    - CVE-2023-0215 (Use-after-free following BIO_new_NDEF).
    - CVE-2022-4450 (Double free after calling PEM_read_bio_ex).
    - CVE-2022-4304 (Timing Oracle in RSA Decryption).
    - CVE-2022-4203 (X.509 Name Constraints Read Buffer Overflow).
    - Padlock: fix byte swapping assembly for AES-192 and 256
      (Closes: #1029259).
    - Add new symbol.
  * Make loongarch64 little endian (Closes: #1029281).
  * Drop conflict against libssl1.0-dev.
  * Update Standards-Version to 4.6.1. No changes required.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 07 Feb 2023 21:42:42 +0100

openssl (3.0.7-2) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * CVE-2022-3996 (X.509 Policy Constraints Double Locking) (Closes: #1027102).
  * Add loongarch64 target (Closes: #1024414).
  * Avoid SIGSEGV with engines, reported by ValdikSS (Closes: #1028898).
  * Set digestname from argv[0] if it is a builtin hash name
   (Closes:# 1025461).

  [ Helmut Grohne ]
  * Support the noudeb build profile (Closes: #1024929).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 19 Jan 2023 21:31:42 +0100

openssl (3.0.7-1ubuntu1) lunar; urgency=medium

  * Merge 3.0.7 from Debian unstable (LP: #1998942)
    - Drop patches merged upstream:
      + CVE-2022-3358.patch
      + CVE-2022-3602-1.patch
      + CVE-2022-3602-2.patch
    - Shrink patch since upstream fixed some tests in the patch above:
      + tests-use-seclevel-1.patch
    - Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded:
      + Set-systemwide-default-settings-for-libssl-users.patch
    - Drop Debian patch not needed anymore:
      + TEST-Provide-a-default-openssl.cnf-for-tests.patch
    - Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu:
      + tls1.2-min-seclevel2.patch
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.
  * Correct comment as to which TLS version is disabled with our seclevel:
    - skip_tls1.1_seclevel3_tests.patch

  [Sebastian Andrzej Siewior]
  * CVE-2022-3996 (X.509 Policy Constraints Double Locking).

 -- Adrien Nader <adrien.nader@canonical.com>  Tue, 06 Dec 2022 15:11:40 +0100

openssl (3.0.7-1) unstable; urgency=medium

  * Import 3.0.7
    - Using a Custom Cipher with NID_undef may lead to NULL encryption
      (CVE-2022-3358) (Closes: #1021620).
    - X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
    - X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
  * Disable rdrand engine (the opcode on x86).
  * Remove config bits for MIPS R6, the generic MIPS config can be used.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 01 Nov 2022 21:39:01 +0100

openssl (3.0.5-4) unstable; urgency=medium

  * Add ssl_conf() serialisation (Closes: #1020308).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 19 Sep 2022 21:59:19 +0200

openssl (3.0.5-3) unstable; urgency=medium

  * Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
   (Closes: #805646).
  * Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 18 Sep 2022 21:48:05 +0200

openssl (3.0.5-2ubuntu2) kinetic-security; urgency=medium

  * SECURITY UPDATE: X.509 Email Address Buffer Overflow
    - debian/patches/CVE-2022-3602-1.patch: fix off by one in punycode
      decoder in crypto/punycode.c, test/build.info, test/punycode_test.c,
      test/recipes/04-test_punycode.t.
    - debian/patches/CVE-2022-3602-2.patch: ensure the result is zero
      terminated in crypto/punycode.c.
    - CVE-2022-3602
  * SECURITY UPDATE: legacy custom cipher issue
    - debian/patches/CVE-2022-3358.patch: fix usage of custom EVP_CIPHER
      objects in crypto/evp/digest.c, crypto/evp/evp_enc.c.
    - CVE-2022-3358

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 27 Oct 2022 13:05:01 -0400

openssl (3.0.5-2ubuntu1) kinetic; urgency=low

  * Merge from Debian unstable (LP: #1987047). Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - d/libssl3.postinst: Revert Debian deletion
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Import libraries/restart-without-asking template as used by above.
    - Add support for building with noudeb build profile.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Use perl:native in the autopkgtest for installability on i386.
    - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
      testsuite
    - d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it
      on Ubuntu to make it easier for user to change security level
  * Dropped changes, merged upstream:
    - d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4
      regression on AVX-512 capable CPUs.
  * Revert the provider removal from the default configuration, following
    discussions on LP: #1979639

 -- Simon Chopin <schopin@ubuntu.com>  Fri, 19 Aug 2022 10:05:04 +0200

openssl (3.0.5-2) unstable; urgency=medium

  * Update to commit ce3951fc30c7b ("VC++ 2008 or earlier x86 compilers…")
    (Closes: #1016290).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 14 Aug 2022 21:57:05 +0200

openssl (3.0.5-1) unstable; urgency=medium

  * Import 3.0.5
    - Possible module_list_lock crash (Closes: #1013309).
    - CVE-2022-2097 (AES OCB fails to encrypt some bytes).
  * Update to 55461bf22a57a ("Don't try to make configuration leaner")
  * Use -latomic on arc,nios2 and sparc (Closes: #1015792).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 24 Jul 2022 16:30:30 +0200

openssl (3.0.4-2) unstable; urgency=medium

  * Address a AVX2 related memory corruption (Closes: #1013441)
    (CVE-2022-2274).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 24 Jun 2022 19:27:02 +0200

openssl (3.0.4-1ubuntu1) kinetic; urgency=medium

  * Merge from Debian unstable (LP: #1979639). Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - d/libssl3.postinst: Revert Debian deletion
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Import libraries/restart-without-asking template as used by above.
    - Add support for building with noudeb build profile.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Use perl:native in the autopkgtest for installability on i386.
    - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
      testsuite
    - d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it
      on Ubuntu to make it easier for user to change security level
  * Dropped changes, merged upstream:
    - Add some more string comparison fixes
    - d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
      trigger the underlying bug
    - d/p/lp1978093/*: renew some expiring test certificates
  * d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4
    regression on AVX-512 capable CPUs.

 -- Simon Chopin <schopin@ubuntu.com>  Thu, 23 Jun 2022 12:43:23 +0200

openssl (3.0.4-1) unstable; urgency=medium

  * Import 3.0.4
    - CVE-2022-2068 (The c_rehash script allows command injection)

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 22 Jun 2022 08:04:00 +0200

openssl (3.0.3-8) unstable; urgency=medium

  * Update to openssl-3.0 head.
  * Avoid reusing the init_lock for a different purpose (Closes: #1011339).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 13 Jun 2022 22:16:39 +0200

openssl (3.0.3-7) unstable; urgency=medium

  * Remove the provider section from the provided openssl.cnf
   (Closes: #1011051).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 08 Jun 2022 23:10:14 +0200

openssl (3.0.3-6) unstable; urgency=medium

  * Update to openssl-3.0 head which fixes the expired certs in the testsuite.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 04 Jun 2022 15:25:53 +0200

openssl (3.0.3-5ubuntu3) kinetic; urgency=medium

  * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)

 -- Simon Chopin <schopin@ubuntu.com>  Thu, 09 Jun 2022 13:20:55 +0200

openssl (3.0.3-5ubuntu2) kinetic; urgency=medium

  * d/p/Set-systemwide-default-settings-for-libssl-users: don't comment out
    the CipherString string to avoid an empty section.

 -- Simon Chopin <schopin@ubuntu.com>  Tue, 31 May 2022 13:02:15 +0200

openssl (3.0.3-5ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1974035):
    Remaining change:
    - Replace duplicate files in the doc directory with symlinks.
    - d/libssl3.postinst: Revert Debian deletion
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Import libraries/restart-without-asking template as used by above.
    - Add support for building with noudeb build profile.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Use perl:native in the autopkgtest for installability on i386.
    - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
      testsuite
  * Add some more string comparison fixes (LP: #1974037)
  * d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on
    Ubuntu to make it easier for user to change security level (LP: #1972056)
  * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
    trigger the underlying bug (LP: #1947588)

 -- Simon Chopin <schopin@ubuntu.com>  Tue, 31 May 2022 09:49:54 +0200

openssl (3.0.3-5) unstable; urgency=medium

  * Don't generate endbr32 opcodes on i386. Thanks to Wolfgang Walter
    (Closes: #1011127).
  * Backport more compare fixes from upstream.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 20 May 2022 22:01:29 +0200

openssl (3.0.3-4) unstable; urgency=medium

  * Add an init to EVP_PKEY_Q_keygen(). GH#18247, reference 1010958.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 16 May 2022 23:20:27 +0200

openssl (3.0.3-3) unstable; urgency=medium

  * Revert "Use .s extension for ia64 assembler" and don't zero used
    registers. Thanks to John Paul Adrian Glaubitz for debugging
    (Closes: #1010975).
  * Don't build ev4/ev5 optimized libraries on alpha.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 14 May 2022 21:50:31 +0200

openssl (3.0.3-2) unstable; urgency=medium

  * Update standards to 4.6.1. No changes were needed.
  * Upload to unstable.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 13 May 2022 23:25:01 +0200

openssl (3.0.3-1) experimental; urgency=medium

  * Import 3.0.3
    - CVE-2022-1292 (The c_rehash script allows command injection).
    - CVE-2022-1343 (OCSP_basic_verify may incorrectly verify the response
      signing certificate).
    - CVE-2022-1434 (Incorrect MAC key used in the RC4-MD5 ciphersuite).
    - CVE-2022-1473 (Resource leakage when decoding certificates and keys).
    - Add new symbols.
  * Correct the openssl.cnf to provide proper default configuration. Thanks to
    Matthias Blümel (Closes: #1010360).
  * Use a separator in the CipherString in openssl.cnf (Closes: #948800).
  * Remove the postinst script which was used to restart daemons after a
    library upgrade. It is not updated and essentially dead code. Users are
    advised to switch to checkrestart/ needrestart or a similar service.
    Thanks to Helmut Grohne (Closes: #983722).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 06 May 2022 22:21:52 +0200

openssl (3.0.3-0ubuntu1) kinetic; urgency=medium

  * New upstream release (LP: #1968997):
    - d/p/CVE-2022-*: dropped, present upstream
    - d/p/c_rehash-compat.patch: refreshed

 -- Simon Chopin <simon.chopin@canonical.com>  Thu, 05 May 2022 10:56:04 +0200

openssl (3.0.2-1) experimental; urgency=medium

  * Import 3.0.2
    - CVE-2022-0778 (Infinite loop in BN_mod_sqrt() reachable when parsing
      certificates).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 15 Mar 2022 20:54:57 +0100

openssl (3.0.2-0ubuntu2) kinetic; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
      openssl in tools/c_rehash.in.
    - CVE-2022-1292
  * SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response
    signing certificate
    - debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer
      certificate validation in crypto/ocsp/ocsp_vfy.c.
    - debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid
      responses in test/recipes/80-test_ocsp.t.
    - CVE-2022-1343
  * SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite
    - debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in
      providers/implementations/ciphers/cipher_rc4_hmac_md5.c,
      test/recipes/30-test_evp_data/evpciph_aes_stitched.txt,
      test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt.
    - CVE-2022-1434
  * SECURITY UPDATE: resource leakage when decoding certificates and keys
    - debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in
      crypto/lhash/lhash.c.
    - CVE-2022-1473

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 03 May 2022 12:01:34 -0400

openssl (3.0.2-0ubuntu1) jammy; urgency=medium

  * New upstream bugfix release (LP: #1965141)
  * d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
    testsuite

 -- Simon Chopin <simon.chopin@canonical.com>  Wed, 16 Mar 2022 09:35:51 +0100

openssl (3.0.1-1) experimental; urgency=medium

  * Import 3.0.1
    - CVE-2021-4044 (Fixed invalid handling of X509_verify_cert() internal
      errors in libssl).
    - CVE-2021-4160 (Carry propagation bug in the MIPS32 and MIPS64 squaring
      procedure.)
  * Zero used registers at function exit.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 27 Dec 2021 11:44:50 +0100

openssl (3.0.1-0ubuntu1) jammy; urgency=medium

  * New upstream release (LP: #1955026).
    + Dropped patches, merged upstream:
      - d/p/double-engine-load*
      - d/p/Add-null-digest-implementation-to-the-default-provid.patch
      - d/p/Don-t-create-an-ECX-key-with-short-keys.patch
    + Refreshed patches:
      - d/p/c_rehash-compat.patch

 -- Simon Chopin <simon.chopin@canonical.com>  Thu, 16 Dec 2021 09:10:48 +0100

openssl (3.0.0-1ubuntu2) jammy; urgency=medium

  * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943)

 -- Julian Andres Klode <juliank@ubuntu.com>  Tue, 07 Dec 2021 17:15:51 +0100

openssl (3.0.0-1ubuntu1) jammy; urgency=medium

  * Manual merge of version 3.0.0-1 from Debian experimental, remaining
    changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers, unless needrestart is available.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Import libraries/restart-without-asking template as used by above.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Reword the NEWS entry, as applicable on Ubuntu.
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Add support for building with noudeb build profile.
  * d/p/Don-t-create-an-ECX-key-with-short-keys.patch:
    Backported from upstream to fix a regression with short keys (LP: #1946213)
  * d/p/Add-null-digest-implementation-to-the-default-provid.patch:
    Backported from upstream to fix a compatibility issue with 1.1.1l
  * Manually call dh_installdirs to fix build failure
  * Drop some Ubuntu patches merged upstream
    + The s390x series (00xx) has been applied upstream
    + The lp-1927161 Intel CET series has been applied upstream
    + CVE-2021-3449 has been fixed upstream
    + CVE-2021-3450 doesn't apply to 3.0 branch
  * Refresh and adapt the remaining patches

 -- Simon Chopin <simon.chopin@canonical.com>  Mon, 20 Sep 2021 18:09:50 +0200

openssl (3.0.0-1) experimental; urgency=medium

  * Import 3.0.0.
  * Add ARC, patch by Vineet Gupta (Closes: #989442).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 11 Sep 2021 10:41:54 +0200

openssl (3.0.0~~beta2-1) experimental; urgency=medium

  * Import 3.0.0-beta2.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 30 Jul 2021 07:51:18 +0200

openssl (3.0.0~~beta1-1) experimental; urgency=medium

  * Import 3.0.0-beta1.
  * Use HARNESS_VERBOSE again (otherwise the test suite might killed since no
    progress is visible).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 23 Jun 2021 19:32:27 +0200

openssl (3.0.0~~alpha16-1) experimental; urgency=medium

  * Import 3.0.0-alpha16.
  * Use VERBOSE_FAILURE to log only failures in the build log.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 06 May 2021 21:54:38 +0200

openssl (3.0.0~~alpha15-1) experimental; urgency=medium

  * Import 3.0.0-alpha15.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 28 Apr 2021 23:26:47 +0200

openssl (3.0.0~~alpha13-2) experimental; urgency=medium

  * Add a proposed patch from upstream to skip negativ errno number in the
    testsuite to pass the testsute on hurd.
  * Always link against libatomic.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 07 Apr 2021 21:36:02 +0200

openssl (3.0.0~~alpha13-1) experimental; urgency=medium

  * Import 3.0.0-alpha13.
  * Move configuration.h to architecture specific include folder. Patch from
    Antonio Terceiro (Closes: #985555).
  * Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
  * drop `lsof', the testsuite is not using it anymore.
  * Enable ktls.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 01 Apr 2021 23:07:05 +0200

openssl (3.0.0~~alpha4-1) experimental; urgency=medium

  * Import 3.0.0-alpha4.
  * Add `lsof' which is needed by the test suite.
  * Add ossl-modules to libcrypto's udeb.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 07 Jul 2020 00:16:54 +0200

openssl (3.0.0~~alpha3-1) experimental; urgency=medium

  * Import 3.0.0-alpha3
  * Install the .so files only in the -dev package (Closes: #962548).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 17 Jun 2020 23:24:43 +0200

openssl (3.0.0~~alpha1-1) experimental; urgency=medium

  * Import 3.0.0-alpha1 (Closes: #934836).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 25 Apr 2020 23:08:44 +0200

openssl (1.1.1j-1ubuntu4) impish; urgency=medium

  * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
    error when attempting to build a source package, due to pr12272.patch
    patching files multiple times within the same patch. (LP: #1927161)
    - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
    - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
    - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
    - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
    - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch 

 -- Matthew Ruffell <matthew.ruffell@canonical.com>  Wed, 05 May 2021 11:49:27 +1200

openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium

  * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
    - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
      ssl/statem/extensions.c.
    - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
      <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
    - debian/patches/CVE-2021-3449-3.patch: add a test to
      test/recipes/70-test_renegotiation.t.
    - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
      always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
      ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
      ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
    - CVE-2021-3449
  * SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
    - debian/patches/CVE-2021-3450-1.patch: do not override error return
      value by check_curve in crypto/x509/x509_vfy.c,
      test/verify_extra_test.c.
    - debian/patches/CVE-2021-3450-2.patch: fix return code check in
      crypto/x509/x509_vfy.c.
    - CVE-2021-3450

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Mar 2021 11:44:30 -0400

openssl (1.1.1j-1ubuntu2) hirsute; urgency=medium

  * No-change upload to pick up lto.

 -- Matthias Klose <doko@ubuntu.com>  Tue, 23 Mar 2021 15:24:20 +0100

openssl (1.1.1j-1ubuntu1) hirsute; urgency=medium

  * Merge from Debian unstable.  Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers, unless needrestart is available.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Import libraries/restart-without-asking template as used by above.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Reword the NEWS entry, as applicable on Ubuntu.
    - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
      and ECC from master.
    - Use perl:native in the autopkgtest for installability on i386.
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Import https://github.com/openssl/openssl/pull/12272.patch to enable
      CET.
  * Add support for building with noudeb build profile.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 23 Feb 2021 22:01:12 +0000

openssl (1.1.1j-1) unstable; urgency=medium

  * New upstream version.
   - CVE-2021-23841 (NULL pointer deref in X509_issuer_and_serial_hash()).
   - CVE-2021-23840 (Possible overflow of the output length argument in
     EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate()).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 16 Feb 2021 20:50:01 +0100

openssl (1.1.1i-3ubuntu2) hirsute; urgency=medium

  * No-change rebuild to drop the udeb package.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 22 Feb 2021 10:35:47 +0100

openssl (1.1.1i-3ubuntu1) hirsute; urgency=medium

  * Merge from Debian unstable.  Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers, unless needrestart is available.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Import libraries/restart-without-asking template as used by above.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Reword the NEWS entry, as applicable on Ubuntu.
    - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
      and ECC from master.
    - Use perl:native in the autopkgtest for installability on i386.
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Import https://github.com/openssl/openssl/pull/12272.patch to enable
      CET.

  * Drop many patches included upstream.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 08 Feb 2021 11:08:21 +0000

openssl (1.1.1i-3) unstable; urgency=medium

  * Cherry-pick a patch from upstream to address #13931.
  * Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 30 Jan 2021 14:06:46 +0100

openssl (1.1.1i-2) unstable; urgency=medium

  * Apply two patches from upstream to address x509 related regressions.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 17 Jan 2021 20:08:26 +0100

openssl (1.1.1i-1) unstable; urgency=medium

  * New upstream version.
    - CVE-2020-1971 (EDIPARTYNAME NULL pointer de-reference).
    - Restore rejection of expired trusted (root) certificate
      (Closes: #976465).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 08 Dec 2020 20:32:32 +0100

openssl (1.1.1h-1) unstable; urgency=medium

  * New upstream version
  * Disable CAPI engine, it is designed for Windows.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 11 Oct 2020 00:00:47 +0200

openssl (1.1.1g-1) unstable; urgency=medium

  * New upstream version
    - CVE-2020-1967 (Segmentation fault in SSL_check_chain).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 21 Apr 2020 21:45:21 +0200

openssl (1.1.1f-1ubuntu5) hirsute; urgency=medium

  * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
    - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
      DirectoryString in crypto/x509v3/v3_genn.c.
    - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
      in crypto/x509v3/v3_genn.c.
    - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
      types don't use implicit tagging in crypto/asn1/asn1_err.c,
      crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
      include/openssl/asn1err.h.
    - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
      to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
      crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
      include/openssl/asn1err.h.
    - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
      in test/v3nametest.c.
    - debian/patches/CVE-2020-1971-6.patch: add a test for
      encoding/decoding using an invalid ASN.1 Template in
      test/asn1_decode_test.c, test/asn1_encode_test.c.
    - CVE-2020-1971

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 08 Dec 2020 12:33:52 -0500

openssl (1.1.1f-1ubuntu4) groovy; urgency=medium

  * Cherrypick upstream fix for non-interactive detection on Linux. LP:
    #1879826
  * Cherrypick AES CTR-DRGB: performance improvement LP: #1799928
  * Skip services restart & reboot notification if needrestart is in-use
    LP: #1895708

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 15 Sep 2020 18:04:36 +0100

openssl (1.1.1f-1ubuntu3) groovy; urgency=medium

  * Import https://github.com/openssl/openssl/pull/12272.patch to enable
    CET.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 25 Jun 2020 14:18:43 +0100

openssl (1.1.1f-1ubuntu2) focal; urgency=medium

  * SECURITY UPDATE: Segmentation fault in SSL_check_chain
    - debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in
      test/recipes/70-test_sslsigalgs.t.
    - debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in
      SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c.
    - debian/patches/CVE-2020-1967-3.patch: fix test in
      test/recipes/70-test_sslsigalgs.t.
    - debian/patches/CVE-2020-1967-4.patch: fix test in
      test/recipes/70-test_sslsigalgs.t.
    - CVE-2020-1967

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 20 Apr 2020 07:53:50 -0400

openssl (1.1.1f-1ubuntu1) focal; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Bump version check to to 1.1.1.
      + Import libraries/restart-without-asking template as used by above.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Reword the NEWS entry, as applicable on Ubuntu.
    - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
      and ECC from master.
    - Use perl:native in the autopkgtest for installability on i386.
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 03 Apr 2020 18:31:00 +0100

openssl (1.1.1f-1) unstable; urgency=medium

  * New upstream version
   - Revert the change of EOF detection to avoid regressions in applications.
     (Closes: #955442).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 31 Mar 2020 23:59:59 +0200

openssl (1.1.1e-1) unstable; urgency=medium

  * Use dh-compat level 12.
  * New upstream version
    - CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
    (Closes: #947949).
  * Update symbol list.
  * Update Standards-Version to 4.5.0. No changes required.
  * Add musl configurations (Closes: #941765).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 18 Mar 2020 20:59:39 +0100

openssl (1.1.1d-2ubuntu6) focal; urgency=medium

  * Revert version number change to 1.1.1e-dev.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 06 Mar 2020 04:08:51 +0000

openssl (1.1.1d-2ubuntu4) focal; urgency=medium

  * Apply 1_1_1-stable branch patches
  * Apply s390x ECC assembly pack improvements

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 26 Feb 2020 21:54:47 +0000

openssl (1.1.1d-2ubuntu3) focal; urgency=medium

  * Use perl:native in the autopkgtest for installability on i386.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 16 Jan 2020 14:15:26 +0000

openssl (1.1.1d-2ubuntu2) focal; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Bump version check to to 1.1.1.
      + Import libraries/restart-without-asking template as used by above.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Reword the NEWS entry, as applicable on Ubuntu.
    - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
      from master.

  * Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
    level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
    below 1.2 and update documentation. Previous default of 1, can be set
    by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
    using ':@SECLEVEL=1' CipherString value in openssl.cfg.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 08 Jan 2020 17:17:41 +0000

openssl (1.1.1d-2) unstable; urgency=medium

  * Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 12 Oct 2019 21:37:55 +0200

openssl (1.1.1d-1) unstable; urgency=medium

  * New upstream version
   - CVE-2019-1549 (Fixed a fork protection issue).
   - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP
     construction).
   - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and
     CMS_decrypt_set1_pkey).
  * Update symbol list

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 14 Sep 2019 00:38:12 +0200

openssl (1.1.1c-1ubuntu4) eoan; urgency=medium

  * Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
    from master. LP: #1736705 LP: #1736704

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 20 Aug 2019 12:46:33 +0100

openssl (1.1.1c-1ubuntu3) eoan; urgency=medium

  * Import libraries/restart-without-asking as used in postinst, to
    prevent failure to configure the package without debconf database. LP:
    #1832919

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 20 Jun 2019 17:59:55 +0100

openssl (1.1.1c-1ubuntu2) eoan; urgency=medium

  * Bump major version of OpenSSL in postinst to trigger services restart
    upon upgrade. Many services listed there must be restarted when
    upgrading 1.1.0 to 1.1.1. LP: #1832522
  * Fix path to Xorg for reboot notifications on desktop. LP: #1832421

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 13 Jun 2019 15:29:07 +0100

openssl (1.1.1c-1ubuntu1) eoan; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Drop the NEWS entry, not applicable on Ubuntu.
  * Cherrypick upstream patch to fix ca -spkac output to be text again
    LP: #1828215

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 10 Jun 2019 18:11:35 +0100

openssl (1.1.1c-1) unstable; urgency=medium

  * New upstream version
   - CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305)
  * Update symbol list

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 30 May 2019 17:27:48 +0200

openssl (1.1.1b-2ubuntu1) devel; urgency=medium

  * Merge from Debian unstable, remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Drop the NEWS entry, not applicable on Ubuntu.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 17 Apr 2019 17:26:42 +0100

openssl (1.1.1b-2) unstable; urgency=medium

  * Fix BUF_MEM regression (Closes: #923516)
  * Fix error when config can't be opened (Closes: #926315)
  * Ship an openssl.cnf in libssl1.1-udeb.dirs

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 16 Apr 2019 21:31:11 +0200

openssl (1.1.1b-1ubuntu2) disco; urgency=medium

  * debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use
    OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898

  * Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch
    to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 03 Apr 2019 11:50:23 +0100

openssl (1.1.1b-1ubuntu1) disco; urgency=medium

  * Merge from Debian unstable, remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Further decrease security level from 1 to 0, for compatibility with
      openssl 1.0.2.
    - Drop the NEWS entry, not applicable on Ubuntu.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 27 Feb 2019 18:13:17 -0500

openssl (1.1.1b-1) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Add Breaks on lighttpd (Closes: #913558).

  [ Kurt Roeckx ]
  * New upstream version
  * Update symbol list

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 26 Feb 2019 19:52:12 +0100

openssl (1.1.1a-1ubuntu2) disco; urgency=medium

  * Drop the NEWS entry, not applicable on Ubuntu.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 28 Nov 2018 14:24:28 +0000

openssl (1.1.1a-1ubuntu1) disco; urgency=medium

  * Merge from Debian unstable, remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Further decrease security level from 1 to 0, for compatibility with
      openssl 1.0.2.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 28 Nov 2018 14:06:04 +0000

openssl (1.1.1a-1) unstable; urgency=medium

  * Add Breaks on python-boto (See: #909545)
  * New upstream version
   - CVE-2018-0734 (Timing vulnerability in DSA signature generation)
   - CVE-2018-0735 (Timing vulnerability in ECDSA signature generation)
   - Update symbol file for 1.1.1a

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 22 Nov 2018 19:40:54 +0100

openssl (1.1.1-2) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Add Breaks on isync (See: #906955)
  * Fix autopkgtest (Closes: #910459)

  [ Kurt Roeckx ]
  * Add Breaks on python-imaplib2 (See: #907079)
  * Add news entry regarding default TLS version and security level
    (Closes: #875423, #907631, #911389, #912067).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 28 Oct 2018 23:52:24 +0100

openssl (1.1.1-1ubuntu2) cosmic; urgency=medium

  * Fixup typpos in the autopkgtest binary name.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 25 Sep 2018 15:41:07 +0100

openssl (1.1.1-1ubuntu1) cosmic; urgency=medium

  * Merge from Debian unstable, remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Further decrease security level from 1 to 0, for compatibility with
      openssl 1.0.2.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 17 Sep 2018 13:24:38 +0100

openssl (1.1.1-1) unstable; urgency=medium

  * New upstream version.
   - Update symbol file for 1.1.1
   - CVE-2018-0732 (actually since pre8).
  * Add Breaks on python-httplib2 (See: #907278)
  * Add hardening=+all.
  * Update to policy 4.2.1
    - Less verbose testsuite with terse
    - Use RRR=no

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 12 Sep 2018 20:39:24 +0200

openssl (1.1.1~~pre9-1) unstable; urgency=medium

  * New upstream version.
    - Support the final TLS 1.3 version (RFC 8446)
  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 21 Aug 2018 21:00:17 +0200

openssl (1.1.1~~pre8-1) experimental; urgency=medium

  * New upstream version.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 05 Jul 2018 00:21:00 +0200

openssl (1.1.1~~pre7-1) experimental; urgency=medium

  * Drop afalgeng on kfreebsd-* which go enabled because they inherit from
    the linux target.
  * Fix debian-rules-sets-dpkg-architecture-variable.
  * Update to policy 4.1.4
    - only Suggest: libssl-doc instead Recommends (only documentation and
      example code is shipped).
    - drop Priority: important.
    - use signing-key.asc and a https links for downloads
  * Use compat 11.
    - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
      seems to make sense.
  * Add a 25-test_verify.t for autopkgtest which runs against intalled
    openssl binary.
  * Fix CVE-2018-0737 (Closes: #895844).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 30 May 2018 19:49:26 +0200

openssl (1.1.1~~pre6-2) experimental; urgency=medium

  * Update libssl1.1.symbols

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 May 2018 16:34:27 +0200

openssl (1.1.1~~pre6-1) experimental; urgency=medium

  * New upstream version
  * Increase default security level from 1 to 2. This moves from the 80 bit
    security level to the 112 bit securit level and will require 2048 bit RSA
    and DHE keys.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 May 2018 16:00:55 +0200

openssl (1.1.1~~pre4-1) experimental; urgency=medium

  * Update to 1.1.1-pre4 (Closes: #892276, #894282).
  * Add riscv64 target (Closes: #891797).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 03 Apr 2018 21:41:55 +0200

openssl (1.1.1~~pre3-1) experimental; urgency=medium

  * Update to 1.1.1-pre3
  * Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
  * Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
  * Enable system default config to enforce TLS1.2 as a minimum.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 21 Mar 2018 00:01:08 +0100

openssl (1.1.1~~pre2-1) experimental; urgency=medium

  * Update to 1.1.1-pre2

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 27 Feb 2018 21:25:09 +0100

openssl (1.1.1~~pre1-1) experimental; urgency=medium

  * Abort the build if symbols are discovered which are not part of the
    symbols file.
  * Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
  * Enable afalgeng on Linux targets (Closes: #888305)
  * Update 1.1.1-pre1.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 25 Feb 2018 21:03:52 +0100

openssl (1.1.0g-2) unstable; urgency=high

  * Avoid problems with aes assembler on armhf using binutils 2.29

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 04 Nov 2017 12:48:13 +0100

openssl (1.1.0g-1) unstable; urgency=medium

  [ Kurt Roeckx ]
  * New upstream version
    - Fixes CVE-2017-3735
    - Fixes CVE-2017-3736
  * Remove patches applied upstream
  * Temporary enable TLS 1.0 and 1.1 again (#875423)
  * Attempt to fix testsuite race condition
  * update no-symbolic.patch to apply

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 02 Nov 2017 15:22:48 +0100

openssl (1.1.0f-5) unstable; urgency=medium

  * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
    version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
    calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version().

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 08 Aug 2017 16:13:54 +0200

openssl (1.1.0f-4) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Add support for arm64ilp32, patch by Wookey (Closes: #867240)

  [ Kurt Roeckx ]
  * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
    version. This will likely break things, but the hope is that by
    the release of Buster everything will speak at least TLS 1.2. This will be
    reconsidered before the Buster release.
  * Fix a race condition in the test suite (Closes: #869856)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 07 Aug 2017 01:08:45 +0200

openssl (1.1.0f-3) unstable; urgency=medium

  * Don't cleanup a thread-local key we didn't create it (Closes: #863707)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 05 Jun 2017 11:40:42 +0200

openssl (1.1.0f-2) unstable; urgency=medium

  * Make the udeb use a versioned depends (Closes: #864080)
  * Conflict with libssl1.0-dev (Closes: #863367)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 04 Jun 2017 12:07:38 +0200

openssl (1.1.0f-1) unstable; urgency=medium

  * New upstream version
    - Fix regression in req -x509 (Closes: #839575)
    - Properly detect features on the AMD Ryzen processor (Closes: #861145)
    - Don't mention -tls1_3 in the manpage (Closes: #859191)
  * Update libssl1.1.symbols for new symbols
  * Update man-section.patch

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 25 May 2017 18:29:01 +0200

openssl (1.1.0e-2) unstable; urgency=medium

  * Make openssl depend on perl-base (Closes: #860254)

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 01 May 2017 21:50:37 +0200

openssl (1.1.0e-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2017-3733
    - Remove patches that are applied upstream.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 16 Feb 2017 18:57:58 +0100

openssl (1.1.0d-2) unstable; urgency=medium

  * Fix building of arch and all packages in a minimal environment
    (Closes: #852900).
  * Fix precomputing SHA1 by adding the following patches from upstream:
    - Add-a-couple-of-test-to-check-CRL-fingerprint.patch
    - Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
    - X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
    (Closes: #852920).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 30 Jan 2017 23:20:07 +0100

openssl (1.1.0d-1) unstable; urgency=medium

  * New Upstream release
    - Fixes CVE-2017-3731
    - Fixes CVE-2017-3730
    - Fixes CVE-2017-3732
    - drop revert_ssl_read.patch and
      0001-Add-missing-zdelete-for-some-linux-arches.patch, applied upstream.
  * add new symbols.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 26 Jan 2017 16:38:34 +0100

openssl (1.1.0c-4) unstable; urgency=medium

  * Make build-indep build again.
  * Don't depend on perl:any in openssl as it breaks debootstrap
   ("Closes: #852017).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 20 Jan 2017 22:18:15 +0100

openssl (1.1.0c-3) unstable; urgency=medium

  * Add myself as Uploader.
  * Add support for tilegx, patch by Helmut Grohne (Closes: #848957).
  * redo the rules file to some newer debhelper:
    - everyfile should remain, nothing should get lost
    - the scripts in the doc package gained an exec bit
    - openssl gained a dep on perl (the package contains perl scripts)
    - libssl1.0.2-dbg is gone, we have dbgsym now
    - dh compat 10
    - pkg.install instead of pkg.files is used for install
  * Mark libssl-doc as MA foreign
  * Update Standards-Version from 3.9.5 to 3.9.8. No changes required.
  * Document the change for openssl's enc command between 1.1.0 and pre 1.1.0
    in the NEWS file (Closes: #843064).
  * Add an override for lintian for the non-standard private directory

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 19 Jan 2017 23:00:01 +0100

openssl (1.1.0c-2) unstable; urgency=medium

  * Revert behaviour of SSL_read() and SSL_write(), and update documentation.
    (Closes: #844234)
  * Add missing -zdelete on x32 (Closes: #844715)
  * Add a Breaks on salt-common. Addresses #844706

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 21 Nov 2016 22:20:00 +0100

openssl (1.1.0c-1) unstable; urgency=medium

  * New upstrem release
    - Fix CVE-2016-7053
    - Fix CVE-2016-7054
    - Fix CVE-2016-7055
  * remove no-rpath.patch, applied upstream.
  * Remove old d2i test cases, use the one from the upstream tarball.
  * Update libssl1.1.symbols for new sysmbols.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 10 Nov 2016 19:05:44 +0100

openssl (1.1.0b-2) unstable; urgency=low

  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 Nov 2016 22:02:32 +0100

openssl (1.1.0b-1) experimental; urgency=medium

  * New upstream release
    - Fixes CVE-2016-6309

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 26 Sep 2016 18:21:09 +0200

openssl (1.1.0a-1) experimental; urgency=medium

  * New upstream release
    - Fix CVE-2016-6304
    - Fix CVE-2016-6305
    - Fix CVE-2016-6307
    - Fix CVE-2016-6308
  * Update c_rehash-compat.patch to apply to new version.
  * Update symbol file.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 22 Sep 2016 20:13:59 +0200

openssl (1.1.0-1) experimental; urgency=medium

  [ Kurt Roeckx ]
  * New upstream version
  * Use Package-Type instead of XC-Package-Type
  * Remove "Priority: optional" in the binary packages.
  * Add Homepage
  * Use dpkg-buildflags's LDFLAGS also for building the shared libraries.

  [ Sebastian Andrzej Siewior ]
  * drop config-hurd.patch, we don't use `config' and it works without the
    patch.
  * Drop depend on zlib1g-dev since we don't use it anymore (Closes: #767207)
  * Make the openssl package Multi-Arch: foregin (Closes: #827028)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 25 Aug 2016 18:52:22 +0200

openssl (1.1.0~pre6-1) experimental; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * drop engines-path.patch. Upstream uses a 1.1 suffixes now.

  [ Kurt Roeckx ]
  * New upstream version
  * Drop upstream snapshot
  * Update symbols file
  * Use some https instead of http URLs

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 04 Aug 2016 18:33:24 +0200

openssl (1.1.0~pre5-5) experimental; urgency=medium

  * Update snapshot to commit fe964f0c88f6780fd30b26e306484b981b0a8480

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 02 Jul 2016 14:54:51 +0200

openssl (1.1.0~pre5-4) experimental; urgency=medium

  * Update snapshot to commit c32bdbf171ce6650ef045ec47b5abe0de7c264db
  * Remove utils-mkdir-p-check-if-dir-exists-also-after-mkdir-f.patch, applied
    upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 26 Jun 2016 15:07:48 +0200

openssl (1.1.0~pre5-3) experimental; urgency=medium

  [ Kurt Roeckx ]
  * Don't use assembler on hppa, it's not writen for Linux.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 10 Jun 2016 22:33:06 +0200

openssl (1.1.0~pre5-2) experimental; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Run the testsuite with verbose output.
  * Use $(MAKE) so the whole make environment is passed to its child and we
    can build in parallel with -jX
  * Update snapshot to commit 5000a6d1215e ("Fix an error path leak in int
    X509_ATTRIBUTE_set1_data()")

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 10 Jun 2016 21:49:55 +0200

openssl (1.1.0~pre5-1) experimental; urgency=medium

  * New upstream version with soname change.  Upload to experimental.
    - Rename binary packages
    - Remove patches:
      - block_diginotar.patch: All cross certificates expired in 2013
      - block_digicert_malaysia.patch: intermediate certificates expired in
        2015
      - man-dir.patch: Fixed upstream
      - valgrind.patch: Upstream no longer adds the uninitialized data to the
        RNG
      - shared-lib-ext.patch: No longer needed
      - version-script.patch: Upstream does symbol versioning itself now
      - disable_freelist.patch: No longer needed
      - soname.patch: Was to change to the 1.0.2 soname that upstream never had
      - disable_sslv3_test.patch: Fixed upstream
      - libdoc-manpgs-pod-spell.patch: Fixed upstream (Closes: #813191)
    - Rewrite debian-targets.patch to work with the new configuration system.
    - Update other patches to apply
    - Update list of install docs
    - Use DESTDIR instead of INSTALL_PREFIX
    - Clean up more files
    - Remove the configure option enable-tlsext no-ssl2 since they're no
      longer supported.
  * Add upstream snapshot:
    - Add d2i-tests.tar to get new binary test files.
  * Don't build i686 optimized version anymore on i386, it's now the default.
    (Closes: #823774)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 28 May 2016 20:58:31 +0200

openssl (1.0.2h-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2016-2107
    - Fixes CVE-2016-2105
    - Fixes CVE-2016-2106
    - Fixes CVE-2016-2109
    - Fixes CVE-2016-2176

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 03 May 2016 18:31:22 +0200

openssl (1.0.2g-2) unstable; urgency=medium

  * Use assembler of arm64 (Closes: #794326)
    Patch from Riku Voipio <riku.voipio@iki.fi>
  * Add a udeb for libssl, based on similar changes done in Ubuntu
    starting in version 0.9.8o-4ubuntu1 (Closes: #802591)
    Patch from Margarita Manterola <marga@google.com>
  * Add support for nios2 (Closes: #816239)
    Based on patch from Marek Vasut <marex@denx.de>
  * Update Spanish translation from Manuel "Venturi" Porras Peralta
    <venturi@openmailbox.org> (Closes: #773601)
  * Don't build an i586 optimized version anymore, the default
    already targets that.  Patch from Sven Joachim <svenjoac@gmx.de>
    (Closes: #759811)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 21 Apr 2016 23:43:06 +0200

openssl (1.0.2g-1) unstable; urgency=high

  * New upstream version
  * Fix CVE-2016-0797
  * Fix CVE-2016-0798
  * Fix CVE-2016-0799
  * Fix CVE-2016-0702
  * Fix CVE-2016-0705
  * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800)
    makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them
    too.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 Mar 2016 18:31:09 +0100

openssl (1.0.2f-2) unstable; urgency=high

  * New upstream version.
    - Fixes CVE-2016-0701
    - Not affected by CVE-2015-3197 because SSLv2 is disabled.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 28 Jan 2016 19:32:02 +0100

openssl (1.0.2e-1) unstable; urgency=high

  * New upstream release
    - Fix CVE-2015-3193
    - Fix CVE-2015-3194
    - Fix CVE-2015-3195
    - Fix CVE-2015-3196
  * Remove all symlinks during clean
  * Run make depend after configure
  * Remove openssl_button.* from the doc package

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 03 Dec 2015 19:33:05 +0100

openssl (1.0.2d-3) unstable; urgency=medium

  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 01 Nov 2015 19:14:34 +0100

openssl (1.0.2d-2) experimental; urgency=medium

  * Build with no-ssl3-method to remove all SSLv3 support.  This results in
    the functions SSLv3_method(), SSLv3_server_method() and
    SSLv3_client_method() being removed from libssl.  Change the soname as
    result of that and also changes name of the binary package.
    (Closes: #768476)
  * Enable rfc3779 and cms support (Closes: #630790)
  * Fix cross compilation for mips architectures. (Closes: #782492)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 06 Sep 2015 14:21:27 +0200

openssl (1.0.2d-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2015-1793

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 09 Jul 2015 18:22:26 +0200

openssl (1.0.2c-1) unstable; urgency=medium

  * New upstream version
    - Fixes ABI (Closes: #788511)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 12 Jun 2015 20:35:12 +0200

openssl (1.0.2b-1) unstable; urgency=high

  * New upstream version
    - Fix CVE-2015-4000
    - Fix CVE-2015-1788
    - Fix CVE-2015-1789
    - Fix CVE-2015-1790
    - Fix CVE-2015-1792
    - Fix CVE-2015-1791
  * Update c_rehash-compat.patch to make it apply to the new version.
  * Remove openssl-pod-misspell.patch applied upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 11 Jun 2015 18:20:38 +0200

openssl (1.0.2a-1) unstable; urgency=medium

  * New upstrema version
    - Fix CVE-2015-0286
    - Fix CVE-2015-0287
    - Fix CVE-2015-0289
    - Fix CVE-2015-0293 (not affected, SSLv2 disabled)
    - Fix CVE-2015-0209
    - Fix CVE-2015-0288
    - Fix CVE-2015-0291
    - Fix CVE-2015-0290
    - Fix CVE-2015-0207
    - Fix CVE-2015-0208
    - Fix CVE-2015-1787
    - Fix CVE-2015-0285
  * Temporary enable SSLv3 methods again, but they will go away.
  * Don't set TERMIO anymore, use the default TERMIOS instead.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 30 Apr 2015 23:37:27 +0200

openssl (1.0.2-1) experimental; urgency=medium

  * New upstream release
    - Fixes CVE-2014-3571
    - Fixes CVE-2015-0206
    - Fixes CVE-2014-3569
    - Fixes CVE-2014-3572
    - Fixes CVE-2015-0204
    - Fixes CVE-2015-0205
    - Fixes CVE-2014-8275
    - Fixes CVE-2014-3570
    - Drop git_snapshot.patch
  * Drop gnu_source.patch, dgst_hmac.patch, stddef.patch,
    no_ssl3_method.patch: applied upstream
  * Update patches to apply

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 23 Jan 2015 18:54:13 +0100

openssl (1.0.2~beta3-1) experimental; urgency=low

  * New usptream beta version
  * Add git snapshot
  * Merge changes between 1.0.1h-3 and 1.0.1j-1:
    - Disables SSLv3 because of CVE-2014-3566
  * Drop patch rehash-crt.patch: partially applied upstream.
    c_rehash now doesn't support files in DER format anymore.
  * Drop patch rehash_pod.patch: applied upstream
  * Update c_rehash-compat.patch to apply to new upstream version.  This
    undoes upstream's "-old" option and creates both the new and old again.
    It now also does it for CRLs.
  * Drop defaults.patch, applied upstream
  * dgst_hmac.patch updated to apply to upstream version.
  * engines-path.patch updated to apply to upstream version.
  * Update list of exported symbols
  * Update symbols files to require beta3
  * Enable unit tests
  * Add patch to add support for the no-ssl3-method option that completly
    disable SSLv3 and pass the option.  This drops the following functions
    from the library: SSLv3_method, SSLv3_server_method and
    SSLv3_client_method
  * Build using OPENSSL_NO_BUF_FREELISTS

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 07 Nov 2014 00:20:10 +0100

openssl (1.0.2~beta2-1) experimental; urgency=medium

  * New usptream beta version
    - Fix CVE-2014-0224
    - Fix CVE-2014-0221
    - Fix CVE-2014-0195
    - Fix CVE-2014-3470
    - Fix CVE-2014-0198
    - Fix CVE-2010-5298
    - Fix CVE-2014-0160
    - Fix CVE-2014-0076
  * Merge changes between 1.0.1f-1 and 1.0.1h-3:
    - postinst: Updated check for restarting services
  * libdoc-manpgs-pod-spell.patch and openssl-pod-misspell.patch
    partially applied upstream
  * Drop fix-pod-errors.patch, applied upstream.
  * Add support for ppc64le (Closes: #745657)
  * Add support for OpenRISC (Closes: #736772)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 23 Jul 2014 19:54:09 +0200

openssl (1.0.2~beta1-1) experimental; urgency=medium

  * New upstream beta version
    - Update list of symbols that should be exported and adjust the symbols
      file.  This also removes a bunch of duplicate symbols in the linker
      file.
    - Fix additional pod errors
    - Following patches have been applied upstream and are removed:
      libssl-misspell.patch, pod_req_misspell2.patch,
      pod_pksc12.misspell.patch, pod_s_server.misspell.patch,
      pod_x509setflags.misspell.patch, pod_ec.misspell.patch,
      pkcs12-doc.patch, req_bits.patch
    - Following patches have been partially applied upstream:
      libdoc-manpgs-pod-spell.patch, openssl-pod-misspell.patch
    - Remove openssl_fix_for_x32.patch, different patch applied upstream.
  * Add support for cross compiling (Closes: #465248)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 25 Feb 2014 00:36:51 +0100

openssl (1.0.1f-1) unstable; urgency=high

  * New upstream version
    - Fix for TLS record tampering bug CVE-2013-4353
    - Drop the snapshot patch
  * update watch file to check for upstream signature and add upstream pgp key.
  * Drop conflicts against openssh since we now on a released version again.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 06 Jan 2014 18:50:54 +0100

openssl (1.0.1e-6) unstable; urgency=medium

  * Add Breaks: openssh-client (<< 1:6.4p1-1.1), openssh-server (<<
    1:6.4p1-1.1).  This is to prevent people running into #732940.
    This Breaks can be removed again when we stop using a git snapshot.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 23 Dec 2013 15:19:17 +0100

openssl (1.0.1e-5) unstable; urgency=low

  * Change default digest to SHA256 instead of SHA1.  (Closes: #694738)
  * Drop support for multiple certificates in 1 file.  It never worked
    properly in the first place, and the only one shipping in
    ca-certificates has been split.
  * Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
  * Remove make-targets.patch.  It prevented the test dir from being cleaned.
  * Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
    - Fixes CVE-2013-6449 (Closes: #732754)
    - Fixes CVE-2013-6450
    - Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
      dtls_version.patch get_certificate.patch, since they where all
      already commited upstream.
    - adjust fix-pod-errors.patch for the reordering of items in the
      documentation they've done trying to fix those pod errors.
    - disable rdrand engine by default (Closes: #732710)
  * disable zlib support.  Fixes CVE-2012-4929 (Closes: #728055)
  * Add arm64 support (Closes: #732348)
  * Properly use the default number of bits in req when none are given

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 22 Dec 2013 19:25:35 +0100

openssl (1.0.1e-4) unstable; urgency=low

  [ Peter Michael Green ]
  * Fix pod errors (Closes: #723954)
  * Fix clean target

  [ Kurt Roeckx ]
  * Add mipsn32 and mips64 targets.  Patch from Eleanor Chen
    <chenyueg@gmail.com>  (Closes: #720654)
  * Add support for nocheck in DEB_BUILD_OPTIONS
  * Update Norwegian translation (Closes: #653574)
  * Update description of the packages.  Patch by Justin B Rye
    (Closes: #719262)
  * change to debhelper compat level 9:
    - change dh_strip call so only the files from libssl1.0.0 get debug
      symbols.
    - change dh_makeshlibs call so the engines don't get added to the
      shlibs
  * Update Standards-Version from 3.8.0 to 3.9.5.  No changes required.

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 01 Nov 2013 17:11:53 +0100

openssl (1.0.1e-3) unstable; urgency=low

  * Move <openssl/opensslconf.h> to /usr/include/$(DEB_HOST_MULTIARCH), and
    mark libssl-dev Multi-Arch: same.
    Patch by Colin Watson <cjwatson@ubuntu.com> (Closes: #689093)
  * Add Polish translation (Closes: #658162)
  * Add Turkish translation (Closes: #660971)
  * Enable assembler for the arm targets, and remove armeb.
    Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533)
  * Add support for x32 (Closes: #698406)
  * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 20 May 2013 16:56:06 +0200

openssl (1.0.1e-2) unstable; urgency=high

  * Bump shlibs.  It's needed for the udeb.
  * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
  * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
  * Fix problem with DTLS version check (Closes: #701826)
  * Fix segfault in SSL_get_certificate (Closes: #703031)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 18 Mar 2013 20:37:11 +0100

openssl (1.0.1e-1) unstable; urgency=high

  * New upstream version (Closes: #699889)
    - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
    - Drop renegiotate_tls.patch, applied upstream
    - Export new CRYPTO_memcmp symbol, update symbol file
  * Add ssltest_no_sslv2.patch so that "make test" works.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 11 Feb 2013 19:39:44 +0100

openssl (1.0.1c-5) unstable; urgency=low

  * Re-enable assembler versions on sparc.  They shouldn't have
    been disabled for sparc v9.  (Closes: #649841)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 09 Sep 2012 08:43:40 +0200

openssl (1.0.1c-4) unstable; urgency=low

  * Fix the configure rules for alpha (Closes: #672710)
  * Switch the postinst to sh again, there never was a reason to
    switch it to bash (Closes: #676398)
  * Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
    preprocessed.  We generate the file again for pic anyway.
    (Closes: #677468)
  * Drop Breaks against openssh as it was only for upgrades
    between versions that were only in testing/unstable.
    (Closes: #668600)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 17 Jul 2012 11:49:19 +0200

openssl (1.0.1c-3) unstable; urgency=low

  * Disable padlock engine again, causes problems for hosts not supporting it.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 06 Jun 2012 18:29:37 +0200

openssl (1.0.1c-2) unstable; urgency=high

  * Fix renegiotation when using TLS > 1.0.  This breaks tor.  Patch from
    upstream.  (Closes: #675990)
  * Enable the padlock engine by default.
  * Change default bits from 1024 to 2048 (Closes: #487152)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 06 Jun 2012 00:55:42 +0200

openssl (1.0.1c-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-2333 (Closes: #672452)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 11 May 2012 18:44:51 +0200

openssl (1.0.1b-1) unstable; urgency=high

  * New upstream version
    - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
      can talk to servers supporting TLS 1.1 but not TLS 1.2
    - Drop rc4_hmac_md5.patch, applied upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 26 Apr 2012 23:34:34 +0200

openssl (1.0.1a-3) unstable; urgency=low

  * Use patch from upstream for the rc4_hmac_md5 issue.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 19 Apr 2012 23:16:30 +0200

openssl (1.0.1a-2) unstable; urgency=low

  * Fix rc4_hmac_md5 on non-i386/amd64 arches.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 19 Apr 2012 21:54:42 +0200

openssl (1.0.1a-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-2110
    - Fix crash in rc4_hmac_md5 (Closes: #666405)
    - Fixes some issues with talking to other servers when TLS 1.1 and 1.2 is
      supported
    - Drop patches no_ssl2.patch vpaes.patch tls1.2_client_algorithms.patch,
      applied upstream.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 19 Apr 2012 19:54:12 +0200

openssl (1.0.1-4) unstable; urgency=low

  * Use official patch for the vpaes problem, also covering amd64.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 31 Mar 2012 20:54:13 +0200

openssl (1.0.1-3) unstable; urgency=high

  * Fix crash in vpaes (Closes: #665836)
  * use client version when deciding whether to send supported signature
    algorithms extension

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 31 Mar 2012 18:35:59 +0200

openssl (1.0.1-2) unstable; urgency=low

  * Properly quote the new cflags in Configure

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 19 Mar 2012 19:56:05 +0100

openssl (1.0.1-1) unstable; urgency=low

  * New upstream version
    - Remove kfreebsd-pipe.patch, fixed upstream
    - Update pic.patch, openssl-pod-misspell.patch and make-targets.patch
    - Add OPENSSL_1.0.1 to version-script.patch and libssl1.0.0.symbols for
      the new functions.
    - AES-NI support (Closes: #644743)
  * pic.patch: upstream made OPENSSL_ia32cap_P and OPENSSL_cpuid_setup
    hidden on amd64, no need to access it PIC anymore.
  * pic.patch: Make OPENSSL_ia32cap_P hidden on i386 too (Closes: #663977)
  * Enable hardening using dpkg-buildflags (Closes: #653495)
  * s_client and s_server were forcing SSLv3 only connection when SSLv2 was
    disabled instead of the SSLv2 with upgrade method.  (Closes: #664454)
  * Add Breaks on openssh < 1:5.9p1-4, it has a too strict version check.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 19 Mar 2012 18:23:32 +0100

openssl (1.0.0h-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-0884
    - Fixes CVE-2012-1165
    - Properly fix CVE-2011-4619
    - pkg-config.patch applied upstream, remove it.
  * Enable assembler for all i386 arches.  The assembler does proper
    detection of CPU support, including cpuid support.
    This should fix a problem with AES 192 and 256 with the padlock
    engine because of the difference in NO_ASM between the between
    the i686 optimized library and the engine.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 13 Mar 2012 21:08:17 +0100

openssl (1.0.0g-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-0050

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 18 Jan 2012 20:46:13 +0100

openssl (1.0.0f-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2011-4108, CVE-2011-4576, CVE-2011-4619, CVE-2012-0027,
      CVE-2011-4577

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 12 Jan 2012 19:02:43 +0100

openssl (1.0.0e-3) unstable; urgency=low

  * Don't build v8 and v9 variants of sparc anymore, they're older than
    the default.  (Closes: #649841)
  * Don't build i486 optimized version, that's the default anyway, and
    it uses assembler that doesn't always work on i486.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 28 Nov 2011 22:17:26 +0100

openssl (1.0.0e-2.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
    as revoked.

 -- Raphael Geissert <geissert@debian.org>  Sun, 06 Nov 2011 01:39:30 -0600

openssl (1.0.0e-2) unstable; urgency=low

  * Add a missing $(DEB_HOST_MULTIARCH)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 10 Sep 2011 17:02:29 +0200

openssl (1.0.0e-1) unstable; urgency=low

  * New upstream version
    - Fix bug where CRLs with nextUpdate in the past are sometimes accepted
      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
    - Fix SSL memory handling for (EC)DH ciphersuites, in particular
      for multi-threaded use of ECDH. (CVE-2011-3210)
    - Add protection against ECDSA timing attacks (CVE-2011-1945)
  * Block DigiNotar certifiates.  Patch from
    Raphael Geissert <geissert@debian.org>
  * Generate hashes for all certs in a file (Closes: #628780, #594524)
    Patch from Klaus Ethgen <Klaus@Ethgen.de>
  * Add multiarch support (Closs: #638137)
    Patch from Steve Langasek / Ubuntu
  * Symbols from the gost engine were removed because it didn't have
    a linker file.  Thanks to Roman I Khimov <khimov@altell.ru>
    (Closes: #631503)
  * Add support for s390x.  Patch from Aurelien Jarno <aurel32@debian.org>
    (Closes: #641100)
  * Add build-arch and build-indep targets to the rules file.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 10 Sep 2011 12:03:13 +0200

openssl (1.0.0d-3) unstable; urgency=low

  * Make it build on sparc64.  Patch from Aurelien Jarno.  (Closes: #626060)
  * Apply patches from Scott Schaefer <saschaefer@neurodiverse.org> to
    fix various pod and spelling errors. (Closes: #622820, #605561)
  * Add missing symbols for the engines (Closes: #623038)
  * More spelling fixes from Scott Schaefer (Closes: #395424)
  * Patch from Scott Schaefer to better document pkcs12 password options
    (Closes: #462489)
  * Document dgst -hmac option.  Patch by Thorsten Glaser <tg@mirbsd.de>
    (Closes: #529586)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 13 Jun 2011 12:39:54 +0200

openssl (1.0.0d-2) unstable; urgency=high

  * Make c_rehash also generate the old subject hash.  Gnutls applications
    seem to require it.  (Closes: #611102)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Apr 2011 22:36:49 +0200

openssl (1.0.0d-1) unstable; urgency=low

  * New upstream version
    - Fixes CVE-2011-0014
  * Make libssl-doc Replaces/Breaks with old libssl-dev packages
    (Closes: #607609)
  * Only export the symbols we should, instead of all.
  * Add symbol file.
  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 02 Apr 2011 13:19:19 +0000

openssl (1.0.0c-2) experimental; urgency=low

  * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
  * Always define _GNU_SOURCE, not only for Linux.
  * Drop SSL2 support (Closes: #589706)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 19 Dec 2010 16:24:16 +0100

openssl (1.0.0c-1) experimental; urgency=low

  * New upstream version (Closes: #578376)
    - New soname: Rename library packages
    - Drop patch perl-path.diff, not needed anymore
    - Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch
      and CVE-2010-4180.patch: applied upstream.
    - Update Configure for the new fields for the assembler options
      per arch.  alpha now makes use of assembler.
  * Move man3 manpages and demos to libssl-doc (Closes: #470594)
  * Drop .pod files from openssl package (Closes: #518167)
  * Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch
  * Stop using BF_PTR2 on (kfreebd-)amd64.
  * Drop debian-arm from the list of arches.
  * Update arm arches to use BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
    BF_PTR instead of BN_LLONG DES_RISC1
  * ia64: Drop RC4_CHAR, add DES_UNROLL DES_INT
  * powerpc: Use RC4_CHAR RC4_CHUNK DES_RISC1 instead
    of DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX
  * s390: Use RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL instead of BN_LLONG

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 12 Dec 2010 15:37:21 +0100

openssl (0.9.8o-4) unstable; urgency=low

  * Fix CVE-2010-4180 (Closes: #529221)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 06 Dec 2010 20:33:21 +0100

openssl (0.9.8o-3) unstable; urgency=high

  * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
  * Re-add the engines.  They were missing since 0.9.8m-1.
    Patch by Joerg Schneider. (Closes: #603693)
  * Not all architectures were build using -g (Closes: #570702)
  * Add powerpcspe support (Closes: #579805)
  * Add armhf support (Closes: #596881)
  * Update translations:
    - Brazilian Portuguese (Closes: #592154)
    - Danish (Closes: #599459)
    - Vietnamese (Closes: #601536)
    - Arabic (Closes: #596166)
  * Generate the proper stamp file so that everything doesn't get build twice.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 16 Nov 2010 19:20:55 +0100

openssl (0.9.8o-2) unstable; urgency=high

  * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 26 Aug 2010 18:25:29 +0200

openssl (0.9.8o-1) unstable; urgency=low

  * New upstream version
    - Add SHA2 algorithms to SSL_library_init().
    - aes-x86_64.pl is now PIC, update pic.patch.
  * Add sparc64 support (Closes: #560240)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 18 Apr 2010 01:42:44 +0200

openssl (0.9.8n-1) unstable; urgency=high

  * New upstream version.
    - Fixes CVE-2010-0740.
    - Drop cfb.patch, applied upstream.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 25 Mar 2010 20:30:52 +0100

openssl (0.9.8m-2) unstable; urgency=low

  * Revert CFB block length change preventing reading older files.
    (Closes: #571810, #571940)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 28 Feb 2010 22:08:49 +0100

openssl (0.9.8m-1) unstable; urgency=low

  * New upstream version
    - Implements RFC5746, reenables renegotiation but requires the extension.
    - Fixes CVE-2009-3245
    - Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
      CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
      CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
      no_check_self_signed.patch: applied upstream
    - pk7_mime_free.patch removed, code rewritten
    - ca.diff partially applied upstream
    - engines-path.patch adjusted, upstream made some minor changes to the
      build system.
    - some flags changed values, bump shlibs.
  * Switch to 3.0 (quilt) source package.
  * Make sure the package is properly cleaned.
  * Add ${misc:Depends} to the Depends on all packages.
  * Fix spelling of extension in the changelog file.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 27 Feb 2010 12:24:03 +0000

openssl (0.9.8k-8) unstable; urgency=high

  * Clean up zlib state so that it will be reinitialized on next use and
    not cause a memory leak.  (CVE-2009-4355, CVE-2008-1678)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Jan 2010 21:26:49 +0100

openssl (0.9.8k-7) unstable; urgency=low

  * Bump the shlibs to require 0.9.8k-1.  The following symbols
    to added between g and k: AES_wrap_key, AES_unwrap_key,
    ASN1_TYPE_set1, ASN1_STRING_set0, asn1_output_data_fn,
    SMIME_read_ASN1, BN_X931_generate_Xpq, BN_X931_derive_prime_ex,
    BN_X931_generate_prime_ex, COMP_zlib_cleanup, CRYPTO_malloc_debug_init,
    int_CRYPTO_set_do_dynlock_callback, CRYPTO_set_mem_info_functions,
    CRYPTO_strdup, CRYPTO_dbg_push_info, CRYPTO_dbg_pop_info,
    CRYPTO_dbg_remove_all_info, OPENSSL_isservice, OPENSSL_init,
    ENGINE_set_load_ssl_client_cert_function,
    ENGINE_get_ssl_client_cert_function, ENGINE_load_ssl_client_cert,
    EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags,
    EVP_CIPHER_CTX_test_flags, HMAC_CTX_set_flags, OCSP_sendreq_new
    OCSP_sendreq_nbio, OCSP_REQ_CTX_free, RSA_X931_derive_ex,
    RSA_X931_generate_key_ex, X509_ALGOR_set0, X509_ALGOR_get0,
    X509at_get0_data_by_OBJ, X509_get1_ocsp

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 28 Nov 2009 14:34:26 +0100

openssl (0.9.8k-6) unstable; urgency=low

  * Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 12 Nov 2009 18:10:31 +0000

openssl (0.9.8k-5) unstable; urgency=low

  * Don't check self signed certificate signatures in X509_verify_cert()
    (Closes: #541735)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 11 Sep 2009 15:42:32 +0200

openssl (0.9.8k-4) unstable; urgency=low

  * Split all the patches into a separate files
  * Stop undefinging HZ, the issue on alpha should be fixed.
  * Remove MD2 from digest algorithm table.  (CVE-2009-2409) (Closes: #539899)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 11 Aug 2009 21:19:18 +0200

openssl (0.9.8k-3) unstable; urgency=low

  * Make rc4-x86_64 PIC.  Based on patch from Petr Salinger (Closes: #532336)
  * Add workaround for kfreebsd that can't see the different between
    two pipes.  Patch from Petr Salinger.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 13 Jun 2009 18:15:46 +0200

openssl (0.9.8k-2) unstable; urgency=low

  * Move libssl0.9.8-dbg to the debug section.
  * Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
  * Split the line to generate md5-x86_64.s in the Makefile.  This will
    hopefully fix the build issue on kfreebsd that now outputs the file
    to stdout instead of the file.
  * Fix denial of service via an out-of-sequence DTLS handshake message
    (CVE-2009-1387) (Closes: #532037)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 08 Jun 2009 19:05:56 +0200

openssl (0.9.8k-1) unstable; urgency=low

  * New upstream release
    - 0.9.8i fixed denial of service via a DTLS ChangeCipherSpec packet
      that occurs before ClientHello (CVE-2009-1386)
  * Make aes-x86_64.pl use PIC.
  * Fix security issues (Closes: #530400)
    - "DTLS record buffer limitation bug." (CVE-2009-1377)
    - "DTLS fragment handling" (CVE-2009-1378)
    - "DTLS use after free" (CVE-2009-1379)
  * Fixed Configure for hurd: use -mtune=i486 instead of -m486
    Patch by Marc Dequènes (Duck) <duck@hurdfr.org> (Closes: #530459)
  * Add support for avr32 (Closes: #528648)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 16 May 2009 17:33:55 +0200

openssl (0.9.8g-16) unstable; urgency=high

  * Properly validate the length of an encoded BMPString and UniversalString
    (CVE-2009-0590)  (Closes: #522002)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 01 Apr 2009 22:04:53 +0200

openssl (0.9.8g-15) unstable; urgency=low

  * Internal calls to didn't properly check for errors which
    resulted in malformed DSA and ECDSA signatures being treated as
    a good signature rather than as an error.  (CVE-2008-5077)
  * ipv6_from_asc() could write 1 byte longer than the buffer in case
    the ipv6 address didn't have "::" part.  (Closes: #506111)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 05 Jan 2009 21:14:31 +0100

openssl (0.9.8g-14) unstable; urgency=low

  * Don't give the warning about security updates when upgrading
    from etch since it doesn't have any known security problems.
  * Automaticly use engines that succesfully initialised.  Patch
    from the 0.9.8h upstream version.  (Closes: #502177)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 31 Oct 2008 22:45:14 +0100

openssl (0.9.8g-13) unstable; urgency=low

  * Fix a problem with tlsext preventing firefox 3 from connection.
    Patch from upstream CVS and part of 0.9.8h.
    (Closes: #492758)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 03 Aug 2008 19:47:10 +0200

openssl (0.9.8g-12) unstable; urgency=low

  * add the changelog of the 10.1 NMU to make bugtracking happy

 -- Christoph Martin <Christoph.Martin@Uni-Mainz.DE>  Tue, 22 Jul 2008 14:58:26 +0200

openssl (0.9.8g-11) unstable; urgency=low

  [ Christoph Martin ]
  * updated cs, gl, sv, ru, ro debconf translation (closes: #480926, #480967,
    #482465, #484324, #488595)
  * add Vcs-Svn header (closes: #481654)
  * fix debian-kfreebsd-i386 build flags (closes: #482275)
  * add stunnel4 to restart list (closes: #482111)
  * include fixes from 10.1 NMU by Security team
    - Fix double free in TLS server name extension which leads to a remote
      denial of service (CVE-2008-0891; Closes: #483379).
    - Fix denial of service if the 'Server Key exchange message'
      is omitted from a TLS handshake which could lead to a client
      crash (CVE-2008-1672; Closes: #483379).
      This only works if openssl is compiled with enable-tlsext which is
      done in Debian.
  * fix some lintian warnings
  * update to newest standards version

 -- Christoph Martin <Christoph.Martin@Uni-Mainz.DE>  Thu, 17 Jul 2008 09:53:01 +0200

openssl (0.9.8g-10.1) unstable; urgency=high

  * Non-maintainer upload by the Security team.
  * Fix denial of service if the 'Server Key exchange message'
    is omitted from a TLS handshake which could lead to a client
    crash (CVE-2008-1672; Closes: #483379).
    This only works if openssl is compiled with enable-tlsext which is
    done in Debian.
  * Fix double free in TLS server name extension which leads to a remote
    denial of service (CVE-2008-0891; Closes: #483379).

 -- Nico Golde <nion@debian.org>  Tue, 27 May 2008 11:13:44 +0200

openssl (0.9.8g-10) unstable; urgency=low

  * undefine HZ so that the code falls back to sysconf(_SC_CLK_TCK)
    to fix a build failure on alpha.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 08 May 2008 17:56:13 +0000

openssl (0.9.8g-9) unstable; urgency=high

  [ Christoph Martin ]
  * Include updated debconf translations (closes: #473477, #461597,
    #461880, #462011, #465517, #475439)

  [ Kurt Roeckx ]
  * ssleay_rand_add() really needs to call MD_Update() for buf.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 07 May 2008 20:32:12 +0200

openssl (0.9.8g-8) unstable; urgency=high

  * Don't add extensions to ssl v3 connections.  It breaks with some
    other software.  (Closes: #471681)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 23 Mar 2008 17:50:04 +0000

openssl (0.9.8g-7) unstable; urgency=low

  * Upload to unstable.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Feb 2008 22:22:29 +0000

openssl (0.9.8g-6) experimental; urgency=low

  * Bump shlibs.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 09 Feb 2008 15:42:22 +0100

openssl (0.9.8g-5) experimental; urgency=low

  * Enable tlsext.  This changes the ABI, but should hopefully
    not cause any problems. (Closes: #462596)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 09 Feb 2008 13:32:49 +0100

openssl (0.9.8g-4) unstable; urgency=low

  * Fix aes ige test speed not to overwrite it's buffer and
    cause segfauls.  Thanks to Tim Hudson (Closes: #459619)
  * Mark some strings in the templates as non translatable.
    Patch from Christian Perrier <bubulle@debian.org> (Closes: #450418)
  * Update Dutch debconf translation (Closes: #451290)
  * Update French debconf translation (Closes: #451375)
  * Update Catalan debconf translation (Closes: #452694)
  * Update Basque debconf translation (Closes: #457285)
  * Update Finnish debconf translation (Closes: #458261)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 16 Jan 2008 21:49:43 +0100

openssl (0.9.8g-3) unstable; urgency=low

  * aes-586.pl: push %ebx on the stack before we put some things on the
    stack and call a function, giving AES_decrypt() wrong values to work
    with.  (Closes: #449200)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 04 Nov 2007 21:49:00 +0100

openssl (0.9.8g-2) unstable; urgency=low

  * Avoid text relocations on i386 caused by the assembler versions:
    - x86unix.pl: Create a function_begin_B_static to create a
      static/local assembler function.
    - aes-586.pl: Use the function_begin_B_static for _x86_AES_decrypt
      so that it doesn't get exported and doesn't have any (text) relocations.
    - aes-586.pl: Set up ebx to point to the GOT and call AES_set_encrypt_key
      via the PLT to avoid a relocation.
    - x86unix.pl: Call the init function via the PLT, avoiding a relocation
      in case of a PIC object.
    - cbc.pl: Call functions via the PLT.
    - desboth.pl: Call DES_encrypt2 via the PLT.
  * CA.sh should use the v3_ca extension when called with -newca
    (Closes: #428051)
  * Use -Wa,--noexecstack for all arches in Debian.  (Closes: #430583)
  * Convert the failure message when services fail restart to a debconf
    message.
  * To restart a service, just restart, instead of stop and start.
    Hopefully fixes #444946
  * Also remove igetest from the test dir in the clean target.
    (Closes: #424362)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 03 Nov 2007 13:25:45 +0100

openssl (0.9.8g-1) unstable; urgency=low

  * New upstream release
    - Fixes version number not to say it's a development version.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 20 Oct 2007 12:47:10 +0200

openssl (0.9.8f-1) unstable; urgency=low

  * New upstream release
    - Fixes DTLS issues, also fixes CVE-2007-4995 (Closes: #335703, #439737)
    - Proper inclusion of opensslconf.h in pq_compat.h (Closes: #408686)
    - New function SSL_set_SSL_CTX: bump shlibs.
  * Remove build dependency on gcc > 4.2
  * Remove the openssl preinst, it looks like a workaround
    for a change in 0.9.2b where config files got moved.  (Closes: #445095)
  * Update debconf translations:
    - Vietnamese (Closes: #426988)
    - Danish (Closes: #426774)
    - Slovak (Closes: #440723)
    - Finnish (Closes: #444258)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 13 Oct 2007 00:47:22 +0200

openssl (0.9.8e-9) unstable; urgency=high

  * CVE-2007-5135: Fix off by one error in SSL_get_shared_ciphers().
    (Closes: #444435)
  * Add postgresql-8.2 to the list of services to check.

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 28 Sep 2007 19:47:33 +0200

openssl (0.9.8e-8) unstable; urgency=low

  * Fix another case of the "if this code is reached, the program will abort"
    (Closes: #429740)
  * Temporary force to build with gcc >= 4.2

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 02 Sep 2007 18:12:11 +0200

openssl (0.9.8e-7) unstable; urgency=low

  * Fix problems with gcc-4.2 (Closes: #429740)
  * Stop using -Bsymbolic to create the shared library.
  * Make x86_64cpuid.pl use PIC.

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 02 Sep 2007 16:15:18 +0200

openssl (0.9.8e-6) unstable; urgency=high

  * Add fix for CVE-2007-3108 (Closes: #438142)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 15 Aug 2007 19:49:54 +0200

openssl (0.9.8e-5) unstable; urgency=low

  [ Christian Perrier ]
  * Debconf templates proofread and slightly rewritten by
    the debian-l10n-english team as part of the Smith Review Project.
    Closes: #418584
  * Debconf templates translations:
    - Arabic. Closes: #418669
    - Russian. Closes: #418670
    - Galician. Closes: #418671
    - Swedish. Closes: #418679
    - Korean. Closes: #418755
    - Czech. Closes: #418768
    - Basque. Closes: #418784
    - German. Closes: #418785
    - Traditional Chinese. Closes: #419915
    - Brazilian Portuguese. Closes: #419959
    - French. Closes: #420429
    - Italian. Closes: #420461
    - Japanese. Closes: #420482
    - Catalan. Closes: #420833
    - Dutch. Closes: #420925
    - Malayalam. Closes: #420986
    - Portuguese. Closes: #421032
    - Romanian. Closes: #421708

  [ Kurt Roeckx ]
  * Remove the Provides for the udeb. Patch from Frans Pop. (Closes: #419608)
  * Updated Spanish debconf template.  (Closes: #421336)
  * Do the header changes, changing those defines into real functions,
    and bump the shlibs to match.
  * Update Japanese debconf translation.  (Closes: #422270)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 15 May 2007 17:21:08 +0000

openssl (0.9.8e-4) unstable; urgency=low

  * openssl should depend on libssl0.9.8 0.9.8e-1 since it
    uses some of the defines that changed to functions.
    Other things build against libssl or libcrypto shouldn't
    have this problem since they use the old headers.
    (Closes: #414283)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 10 Mar 2007 17:11:46 +0000

openssl (0.9.8e-3) unstable; urgency=low

  * Add nagios-nrpe-server to the list of services to be checked
    (Closes: #391188)
  * EVP_CIPHER_CTX_key_length() should return the set key length in the
    EVP_CIPHER_CTX structure which may not be the same as the underlying
    cipher key length for variable length ciphers.
    From upstream CVS.  (Closes: #412979)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun,  4 Mar 2007 23:22:51 +0000

openssl (0.9.8e-2) unstable; urgency=low

  * Undo include changes that change defines into real functions,
    but keep the new functions in the library.

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 25 Feb 2007 19:19:19 +0000

openssl (0.9.8e-1) unstable; urgency=low

  * New upstream release
    - Inludes security fixes for CVE-2006-2937, CVE-2006-2940,
      CVE-2006-3738, CVE-2006-4343 (Closes: #408902)
    - s_client now properly works with SMTP.  Also added support
      for IMAP.  (closes: #221689)
    - Load padlock modules (Closes: #345656, #368476)
  * Add clamav-freshclam and clamav-daemon to the list of service that
    need to be restarted.  (Closes: #391191)
  * Add armel support.  Thanks to Guillem Jover <guillem.jover@nokia.com>
    for the patch.  (Closes: #407196)
  * Add Portuguese translations.  Thanks to Carlos Lisboa.  (Closes: 408157)
  * Add Norwegian translations.  Thanks to Bjørn Steensrud
    <bjornst@powertech.no> (Closes: #412326)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 25 Feb 2007 18:06:28 +0000

openssl (0.9.8c-4) unstable; urgency=low

  * Add German debconf translation.  Thanks to
    Johannes Starosta <feedback-an-johannes@arcor.de> (Closes: #388108)
  * Make c_rehash look for both .pem and .crt files.  Also make it support
    files in DER format.  Patch by "Yauheni Kaliuta" <y.kaliuta@gmail.com>
    (Closes: #387089)
  * Use & instead of && to check a flag in the X509 policy checking.
    Patch from upstream cvs.  (Closes: #397151)
  * Also restart slapd for security updates (Closes: #400221)
  * Add Romanian debconf translation.  Thanks to
    stan ioan-eugen <stan.ieugen@gmail.com> (Closes: #393507)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 30 Nov 2006 20:57:46 +0000

openssl (0.9.8c-3) unstable; urgency=low

  * Fix patch for CVE-2006-2940, it left ctx unintiliased.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon,  2 Oct 2006 18:05:00 +0200

openssl (0.9.8c-2) unstable; urgency=high

  * Fix security vulnerabilities (CVE-2006-2937, CVE-2006-2940,
    CVE-2006-3738, CVE-2006-4343).  Urgency set to high.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 27 Sep 2006 21:24:55 +0000

openssl (0.9.8c-1) unstable; urgency=low

  * New upstream release
    - block padding bug with compression now fixed upstream, using
      their patch.
    - Includes the RSA Signature Forgery (CVE-2006-4339) patch.
    - New functions AES_bi_ige_encrypt and AES_ige_encrypt:
      bumping shlibs to require 0.9.8c-1.
  * Change the postinst script to check that ntp is installed instead
    of ntp-refclock and ntp-simple.  The binary is now in the ntp
    package.
  * Move the modified rand/md_rand.c file to the right place,
    really fixing #363516.
  * Add partimage-server conserver-server and tor to the list of service
    to check for restart.  Add workaround for openssh-server so it finds
    the init script.  (Closes: #386365, #386400, #386513)
  * Add manpage for c_rehash.
    Thanks to James Westby <jw+debian@jameswestby.net> (Closes: #215618)
  * Add Lithuanian debconf translation.
    Thanks to Gintautas Miliauskas <gintas@akl.lt>  (Closes: #374364)
  * Add m32r support.
    Thanks to Kazuhiro Inaoka <inaoka.kazuhiro@renesas.com>
    (Closes: #378689)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 17 Sep 2006 14:47:59 +0000

openssl (0.9.8b-3) unstable; urgency=high

  * Fix RSA Signature Forgery (CVE-2006-4339) using patch provided
    by upstream.
  * Restart services using a smaller version that 0.9.8b-3, so
    they get the fixed version.
  * Change the postinst to check for postfix instead of postfix-tls.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue,  5 Sep 2006 18:26:10 +0000

openssl (0.9.8b-2) unstable; urgency=low

  * Don't call gcc with -mcpu on i386, we already use -march, so no need for
    -mtune either.
  * Always make all directories when building something:
    - The engines directory didn't get build for the static directory, so
      where missing in libcrypo.a
    - The apps directory didn't always get build, so we didn't have an openssl
      and a small part of the regression tests failed.
  * Make the package fail to build if the regression tests fail.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 15 May 2006 16:00:58 +0000

openssl (0.9.8b-1) unstable; urgency=low

  * New upstream release
    - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs.
    - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE
      instead of FALSE.
    - CA.pl/CA.sh creates crlnumber now.  (Closes: #347612)
  * Run debconf-updatepo, which really already was in the 0.9.8a-8 version
    as it was uploaded.
  * Add Galician debconf translation.  Patch from
    Jacobo Tarrio <jtarrio@trasno.net>  (Closes: #361266)
  * libssl0.9.8.postinst makes uses of bashisms (local variables)
    so use #!/bin/bash
  * libssl0.9.8.postinst: Call set -e after sourcing the debconf
    script.
  * libssl0.9.8.postinst: Change list of service that may need
    to be restarted:
    - Replace ssh by openssh-server
    - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1
    - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour
      fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql
  * libssl0.9.8.postinst: The check to see if something was installed
    wasn't working.
  * libssl0.9.8.postinst: Add workaround to find the name of the init
    script for proftpd and dovecot.
  * libssl0.9.8.postinst: Use invoke-rc.d when it's available.
  * Change Standards-Version to 3.7.0:
    - Make use of invoke-rc.d
  * Add comment to README.Debian that rc5, mdc2 and idea have been
    disabled (since 0.9.6b-3)  (Closes: #362754)
  * Don't add uninitialised data to the random number generator.  This stop
    valgrind from giving error messages in unrelated code.
    (Closes: #363516)
  * Put the FAQ in the openssl docs.
  * Add russian debconf translations from Yuriy Talakan <yt@amur.elektra.ru>
    (Closes #367216)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu,  4 May 2006 20:40:03 +0200

openssl (0.9.8a-8) unstable; urgency=low

  * Call pod2man with the proper section.  Section changed
    from 1/3/5/7 to 1SSL/3SSL/5SSL/7SSL.  The name of the files
    already had the ssl in, the section didn't.  The references
    to other manpage is still wrong.
  * Don't install the LICENSE file, it's already in the copyright file.
  * Don't set an rpath on openssl to point to /usr/lib.
  * Add support for kfreebsd-amd64. (Closes: #355277)
  * Add udeb to the shlibs.  Patch from Frans Pop <aragorn@tiscali.nl>
    (Closes: #356908)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 11 Feb 2006 14:14:37 +0100

openssl (0.9.8a-7) unstable; urgency=high

  * Add italian debconf templates.  Thanks to Luca Monducci.
    (Closes: #350249)
  * Change the debconf question to use version 0.9.8-3
    instead of 0.9.8-1, since that's the last version
    with a security fix.
  * Call conn_state() if the BIO is not in the BIO_CONN_S_OK state
    (Closes: #352047).  RC bug affecting testing, so urgency high.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 09 Feb 2006 19:07:56 +0100

openssl (0.9.8a-6) unstable; urgency=low

  * Remove empty postinst/preinst/prerm scripts.  There is no need
    to have empty ones, debhelper will add them when needed.
  * Remove the static pic libraries.  Nobody should be linking
    it's shared libraries static to libssl or libcrypto.
    This was added for opensc who now links to it shared.
  * Do not assume that in case the sequence number is 0 and the
    packet has an odd number of bytes that the other side has
    the block padding bug, but try to check that it actually
    has the bug.  The wrong detection of this bug resulted
    in an "decryption failed or bad record mac" error in case
    both sides were using zlib compression.  (Closes: #338006)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 21 Jan 2006 16:25:41 +0100

openssl (0.9.8a-5) unstable; urgency=low

  * Stop ssh from crashing randomly on sparc (Closes: #335912)
    Patch from upstream cvs.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 13 Dec 2005 21:37:42 +0100

openssl (0.9.8a-4) unstable; urgency=low

  * Call dh_makeshlibs with the proper version instead of putting
    it in shlibs.local, which doesn't seem to do anything.  0.9.8a-1
    added symbol versioning, so it should have bumped the shlibs.
    (Closes: #338284)
  * The openssl package had a duplicate dependency on libssl0.9.8,
    only require the version as required by the shlibs.
  * Make libssl-dev depend on zlib1g-dev, since it's now required for
    static linking. (Closes: #338313)
  * Generate .pc files that make use of Libs.private, so things only
    link to the libraries they should when linking shared.
  * Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486)
  * Make powerpc and ppc64 use the assembler version for bn.  ppc64
    had the location in the string wrong, powerpc had it missing.
  * Add includes for stddef to get size_t in md2.h, md4.h, md5.h,
    ripemd.h and sha.h.  (Closes: #333101)
  * Run make test for each of the versions we build, make it
    not fail the build process if an error is found.
  * Add build dependency on bc for the regression tests.

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 13 Nov 2005 16:01:05 +0100

openssl (0.9.8a-3) unstable; urgency=high

  * Link to libz instead of dynamicly loading it.  It gets loaded
    at the moment the library is initialised, so there is no point
    in not linking to it.  It's now failing in some cases since
    it's not opened by it's soname, but by the symlink to it.
    This should hopefully solve most of the bugs people have reported
    since the move to libssl0.9.8.
    (Closes: #334180, #336140, #335271)
  * Urgency set to high because it fixes a grave bug affecting testing.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue,  1 Nov 2005 14:56:40 +0100

openssl (0.9.8a-2) unstable; urgency=low

  * Add Build-Dependency on m4, since sparc needs it to generate
    it's assembler files.  (Closes: #334542)
  * Don't use rc4-x86_64.o on amd64 for now, it seems to be broken
    and causes a segfault.  (Closes: #334501, #334502)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 18 Oct 2005 19:05:53 +0200

openssl (0.9.8a-1) unstable; urgency=low

  Christoph Martin:
  * fix asm entries for some architectures, fixing #332758 properly.
  * add noexecstack option to i386 subarch
  * include symbol versioning in Configure (closes: #330867)
  * include debian-armeb arch (closes: #333579)
  * include new upstream patches; includes some minor fixes
  * fix dh_shlibdeps line, removing the redundant dependency on
    libssl0.9.8 (closes: #332755)
  * add swedish debconf template (closes: #330554)

  Kurt Roeckx:
  * Also add noexecstack option for amd64, since it now has an
    executable stack with the assembler fixes for amd64.

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 17 Oct 2005 17:01:06 +0200

openssl (0.9.8-3) unstable; urgency=low

  * Apply security fix for CAN-2005-2969. (Closes: #333500)
  * Change priority of -dbg package to extra.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 12 Oct 2005 22:38:58 +0200

openssl (0.9.8-2) unstable; urgency=low

  * Don't use arch specific assembler.  Should fix build failure on
    ia64, sparc and amd64. (Closes: #332758)
  * Add myself to the uploaders.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 10 Oct 2005 19:22:36 +0200

openssl (0.9.8-1) unstable; urgency=low

  * New upstream release (closes: #311826)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 29 Sep 2005 14:20:04 +0200

openssl (0.9.7g-3) unstable; urgency=low

  * change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386
    (closes: #327692)
  * include -dbg version. That implies compiling with -g and without
    -fomit-frame-pointer (closes: #293823, #153811)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 23 Sep 2005 13:51:57 +0200

openssl (0.9.7g-2) unstable; urgency=low

  * really include nl translation
  * remove special ia64 code from rc4 code to make the abi compatible to
    older 0.9.7 versions (closes: #310489, #309274)
  * fix compile flag for debian-ppc64 (closes: #318750)
  * small fix in libssl0.9.7.postinst (closes: #239956)
  * fix pk7_mime.c to prevent garbled messages because of to early memory
    free (closes: #310184)
  * include vietnamese debconf translation (closes: #316689)
  * make optimized i386 libraries have non executable stack (closes:
    #321721)
  * remove leftover files from ssleay
  * move from dh_installmanpages to dh_installman
  * change Maintainer to pkg-openssl-devel@lists.alioth.debian.org

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  7 Sep 2005 15:32:54 +0200

openssl (0.9.7g-1) unstable; urgency=low

  * New upstream release
    * Added support for proxy certificates according to RFC 3820.
      Because they may be a security thread to unaware applications,
      they must be explicitely allowed in run-time.  See
      docs/HOWTO/proxy_certificates.txt for further information.
    * Prompt for pass phrases when appropriate for PKCS12 input format.
    * Back-port of selected performance improvements from development
      branch, as well as improved support for PowerPC platforms.
    * Add lots of checks for memory allocation failure, error codes to indicate
      failure and freeing up memory if a failure occurs.
    * Perform some character comparisons of different types in X509_NAME_cmp:
      this is needed for some certificates that reencode DNs into UTF8Strings
      (in violation of RFC3280) and can't or wont issue name rollover
      certificates.
  * corrected watchfile
  * added upstream source url (closes: #292904)
  * fix typo in CA.pl.1 (closes: #290271)
  * change debian-powerpc64 to debian-ppc64 and adapt the configure
    options to be the same like upstream (closes: #289841)
  * include -signcert option in CA.pl usage
  * compile with zlib-dynamic to use system zlib (closes: #289872)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  9 May 2005 23:32:03 +0200

openssl (0.9.7e-3) unstable; urgency=high

  * really fix der_chop. The fix from -1 was not really included (closes:
    #281212)
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
      environment.

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 16 Dec 2004 18:41:29 +0100

openssl (0.9.7e-2) unstable; urgency=high

  * fix perl path in der_chop and c_rehash (closes: #281212)
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
      environment.

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 14 Nov 2004 20:16:21 +0100

openssl (0.9.7e-1) unstable; urgency=high

  * SECURITY UPDATE: fix insecure temporary file handling
  * apps/der_chop:
    - replaced $$-style creation of temporary files with
      File::Temp::tempfile()
    - removed unused temporary file name in do_certificate()
  * References:
    CAN-2004-0975 (closes: #278260)
  * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
  * New upstream release with security fixes
    - Avoid a race condition when CRLs are checked in a multi threaded
      environment.
    - Various fixes to s3_pkt.c so alerts are sent properly.
    - Reduce the chances of duplicate issuer name and serial numbers (in
      violation of RFC3280) using the OpenSSL certificate creation
      utilities.
  * depends openssl on perl-base instead of perl (closes: #280225)
  * support powerpc64 in Configure (closes: #275224)
  * include cs translation (closes: #273517)
  * include nl translation (closes: #272479)
  * Fix default dir of c_rehash (closes: #253126)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 12 Nov 2004 14:11:15 +0100

openssl (0.9.7d-5) unstable; urgency=low

  * Make S/MIME encrypt work again (backport from CVS) (closes: #241407,
    #241386)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 26 Jul 2004 17:22:42 +0200

openssl (0.9.7d-4) unstable; urgency=low

  * add Catalan translation (closes: #248749)
  * add Spanish translation (closes: #254561)
  * include NMU fixes: see below
  * decrease optimisation level for debian-arm to work around gcc bug
    (closes: #253848) (thanks to Steve Langasek and Thom May)
  * Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank)
  * Add watchfile

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 14 Jul 2004 14:31:02 +0200

openssl (0.9.7d-3) unstable; urgency=low

  * rename -pic.a libraries to _pic.a (closes: #250016)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 24 May 2004 17:02:29 +0200

openssl (0.9.7d-2) unstable; urgency=low

  * include PIC libs (libcrypto-pic.a and libssl-pic.a) to libssl-dev
    (closes: #246928, #243999)
  * add racoon to restart list (closes: #242652)
  * add Brazilian, Japanese and Danish translations (closes: #242087,
    #241830, #241705)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 11 May 2004 10:13:49 +0200

openssl (0.9.7d-1) unstable; urgency=high

  * new upstream
  * fixes security holes (http://www.openssl.org/news/secadv_20040317.txt)
    (closes: #238661)
  * includes support for debian-amd64 (closes: #235551, #232310)
  * fix typo in pem.pod (closes: #219873)
  * fix typo in libssl0.9.7.templates (closes: #224690)
  * openssl suggests ca-certificates (closes: #217180)
  * change debconf template to gettext format (closes: #219013)
  * include french debconf template (closes: #219014)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 18 Mar 2004 16:18:43 +0100

openssl (0.9.7c-5) unstable; urgency=low

  * include openssl.pc into libssl-dev (closes: #212545)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 16 Oct 2003 16:31:32 +0200

openssl (0.9.7c-4) unstable; urgency=low

  * change question to restart services to debconf (closes: #214840)
  * stop using dh_undocumented (closes: #214831)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 10 Oct 2003 15:40:48 +0200

openssl (0.9.7c-3) unstable; urgency=low

  * fix POSIX conformance for head in libssl0.9.7.postinst (closes:
    #214700)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  8 Oct 2003 14:02:38 +0200

openssl (0.9.7c-2) unstable; urgency=low

  * add filerc macro to libssl0.9.7.postinst (closes: #213906)
  * restart spamassassins spamd on upgrade (closes: #214106)
  * restart more services on upgrade
  * fix EVP_BytesToKey manpage (closes: #213715)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue,  7 Oct 2003 15:01:32 +0200

openssl (0.9.7c-1) unstable; urgency=high

  * upstream security fix (closes: #213451)
   - Fix various bugs revealed by running the NISCC test suite:
     Stop out of bounds reads in the ASN1 code when presented with
     invalid tags (CAN-2003-0543 and CAN-2003-0544).
     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
     If verify callback ignores invalid public key errors don't try to check
     certificate signature with the NULL public key.
   - In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
     if the server requested one: as stated in TLS 1.0 and SSL 3.0
     specifications.
  * more minor upstream bugfixes
  * fix formatting in c_issuer (closes: #190026)
  * fix Debian-FreeBSD support (closes: #200381)
  * restart some services in postinst to make them use the new libraries
  * remove duplicated openssl.1, crypto.3 and ssl.3 (closes: #198594)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  1 Oct 2003 08:54:27 +0200

openssl (0.9.7b-2) unstable; urgency=high

  * fix permission of /etc/ssl/private to 700 again
  * change section of libssl-dev to libdevel

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 23 Apr 2003 11:13:24 +0200

openssl (0.9.7b-1) unstable; urgency=high

  * upstream security fix
   - Countermeasure against the Klima-Pokorny-Rosa extension of
     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
     a protocol version number mismatch like a decryption error
     in ssl3_get_client_key_exchange (ssl/s3_srvr.c). (CAN-2003-0131)
    (closes: #189087)
   - Turn on RSA blinding by default in the default implementation
     to avoid a timing attack. Applications that don't want it can call
     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
     They would be ill-advised to do so in most cases. (CAN-2003-0147)
   - Change RSA blinding code so that it works when the PRNG is not
     seeded (in this case, the secret RSA exponent is abused as
     an unpredictable seed -- if it is not unpredictable, there
     is no point in blinding anyway).  Make RSA blinding thread-safe
     by remembering the creator's thread ID in rsa->blinding and
     having all other threads use local one-time blinding factors
     (this requires more computation than sharing rsa->blinding, but
     avoids excessive locking; and if an RSA object is not shared
     between threads, blinding will still be very fast).
    for more details see the CHANGES file

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 16 Apr 2003 10:32:57 +0200

openssl (0.9.7a-1) unstable; urgency=high

  * upstream Security fix
    - In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
      between bad padding and a MAC verification error. (CAN-2003-0078)
    for more details see the CHANGES file

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 21 Feb 2003 22:39:40 +0100

openssl (0.9.7-4) unstable; urgency=low

  * use DH_COMPAT=3 to build
  * move i686 to i686/cmov to fix problems on Via C3. For that to work we
    have to depend on the newest libc6 on i386 (closes: #177891)
  * fix bug in ui_util.c (closes: #177615)
  * fix typo in md5.h (closes: #178112)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 24 Jan 2003 10:22:56 +0100

openssl (0.9.7-3) unstable; urgency=low

  * enable build of ultrasparc code on non ultrasparc machines (closes:
    #177024)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 17 Jan 2003 08:22:13 +0100

openssl (0.9.7-2) unstable; urgency=low

  * include changes between 0.9.6g-9 and -10
    * fix problem in build-process on i386 with libc6 version number

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 13 Jan 2003 14:26:56 +0100

openssl (0.9.7-1) unstable; urgency=low

  * new upstream
    * includes engine support
    * a lot of bugfixes and enhancements, see the CHANGES file
    * include AES encryption
    * makes preview of certificate configurable (closes: #176059)
    * fix x509 manpage (closes: #168070)
    * fix declaration of ERR_load_PEM_string in pem.h (closes: #141360)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 11 Jan 2003 09:12:16 +0100

openssl (0.9.6g-10) unstable; urgency=low

  * fix problem in build-process on i386 with libc6 version number
    (closes: #167096)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  4 Nov 2002 12:27:21 +0100

openssl (0.9.6g-9) unstable; urgency=low

  * fix typo in i386 libc6 depend (sigh) (closes: #163848)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue,  8 Oct 2002 23:29:20 +0200

openssl (0.9.6g-8) unstable; urgency=low

  * fix libc6 depends. Only needed for i386 (closes: #163701)
  * remove SHLIB section for bsds from Configure (closes: #163585)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue,  8 Oct 2002 10:57:35 +0200

openssl (0.9.6g-7) unstable; urgency=low

  * enable i686 optimisation and depend on fixed glibc (closes: #163500)
  * remove transition package ssleay
  * include optimisation vor sparcv8 (closes: #139996)
  * improve optimisation vor sparcv9

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun,  6 Oct 2002 14:07:12 +0200

openssl (0.9.6g-6) unstable; urgency=low

  * temporarily disable i686 optimisation (See bug in glibc #161788)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 21 Sep 2002 18:56:49 +0200

openssl (0.9.6g-5) unstable; urgency=low

  * i486 can use i586 assembler
  * include set -xe in the for loops in the rules files to make it abort
    on error (closes: #161768)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 21 Sep 2002 16:23:11 +0200

openssl (0.9.6g-4) unstable; urgency=low

  * fix optimization for alpha and sparc
  * add optimization for i486

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 20 Sep 2002 22:36:19 +0200

openssl (0.9.6g-3) unstable; urgency=low

  * add optimized libraries for i586, i686, ev4, ev5 and v9 (closes: #139783)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 19 Sep 2002 18:33:04 +0200

openssl (0.9.6g-2) unstable; urgency=low

  * fix manpage names (closes: #156717, #156718, #156719, #156721)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 15 Aug 2002 11:26:37 +0200

openssl (0.9.6g-1) unstable; urgency=low

  * new upstream version
  * Use proper error handling instead of 'assertions' in buffer
    overflow checks added in 0.9.6e.  This prevents DoS (the
    assertions could call abort()). (closes: #155985, #156495)
  * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
    and get fix the header length calculation.
  * include support for new sh* architectures (closes: #155117)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 14 Aug 2002 13:59:22 +0200

openssl (0.9.6e-1) unstable; urgency=high

  * fixes remote exploits (see DSA-136-1)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 30 Jul 2002 18:32:28 +0200

openssl (0.9.6d-1) unstable; urgency=low

  * new upstream (minor) version
  * includes Configure lines for debian-*bsd-* (closes: #130413)
  * fix wrong prototype for BN_pseudo_rand_range in BN_rand(3ssl) (closes:
    #144586)
  * fix typos in package description (closes: #141469)
  * fix typo in SSL_CTX_set_cert_store manpage (closes: #135297)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  3 Jun 2002 19:42:10 +0200

openssl (0.9.6c-2) unstable; urgency=low

  * moved from non-US to main

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 19 Mar 2002 14:48:39 +0100

openssl (0.9.6c-1) unstable; urgency=low

  * new upstream version with a lot of bugfixes
  * remove directory /usr/include/openssl from openssl package (closes:
    bug #121226)
  * remove selfdepends from libssl0.9.6
  * link openssl binary shared again

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat,  5 Jan 2002 19:04:31 +0100

openssl (0.9.6b-4) unstable; urgency=low

  * build with -D_REENTRANT for threads support on all architectures
    (closes: #112329, #119239)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 24 Nov 2001 12:17:51 +0100

openssl (0.9.6b-3) unstable; urgency=low

  * disable idea, mdc2 and rc5 because they are not free (closes: #65368)
  * ready to be moved from nonus to main

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 21 Nov 2001 17:51:41 +0100

openssl (0.9.6b-2) unstable; urgency=high

  * fix definition of crypt in des.h (closes: #107533)
  * fix descriptions (closes: #109503)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 17 Sep 2001 15:38:27 +0200

openssl (0.9.6b-1) unstable; urgency=medium

  * new upstream fixes some security issues (closes: #105835, #100146)
  * added support for s390 (closes: #105681)
  * added support for sh (closes: #100003)
  * change priority of libssl096 to standard as ssh depends on it (closes:
    #105440)
  * don't optimize for i486 to support i386. (closes: #104127, #82194)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 20 Jul 2001 15:52:42 +0200

openssl (0.9.6a-3) unstable; urgency=medium

  * add perl-base to builddeps
  * include static libraries in libssl-dev (closes: #93688)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 14 May 2001 20:16:06 +0200

openssl (0.9.6a-2) unstable; urgency=medium

  * change Architecture of ssleay from any to all (closes: #92913)
  * depend libssl-dev on the exact same version of libssl0.9.6 (closes:
    #88939)
  * remove lib{crypto,ssl}.a from openssl (closes: #93666)
  * rebuild with newer gcc to fix atexit problem (closes: #94036)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  2 May 2001 12:28:39 +0200

openssl (0.9.6a-1) unstable; urgency=medium

  * new upstream, fixes some security bugs (closes: #90584)
  * fix typo in s_server manpage (closes: #89756)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 10 Apr 2001 12:13:11 +0200

openssl (0.9.6-2) unstable; urgency=low

  * policy: reorganisation of package names: libssl096 -> libssl0.9.6,
    libssl096-dev -> libssl-dev (closes: #83426)
  * libssl0.9.6 drops replaces libssl09 (Closes: #83425)
  * install upstream CHANGES files (Closes: #83430)
  * added support for hppa and ia64 (Closes: #88790)
  * move man3 manpages to libssl-dev (Closes: #87546)
  * fix formating problem in rand_add(1) (Closes: #87547)
  * remove manpage duplicates (Closes: #87545, #74986)
  * make package descriptions clearer (Closes: #83518, #83444)
  * increase default emailAddress_max from 40 to 60 (Closes: #67238)
  * removed RSAREF warning (Closes: #84122)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu,  8 Mar 2001 14:24:00 +0100

openssl (0.9.6-1) unstable; urgency=low

  * New upstream version (Thanks to Enrique Zanardi <ezanard@debian.org>)
    (closes: #72388)
  * Add support for debian-hurd (closes: #76032)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 13 Nov 2000 22:30:46 +0100

openssl (0.9.5a-5) unstable; urgency=low

  * move manpages in standard directories with section ssl (closes:
    #72152, #69809)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu,  5 Oct 2000 19:56:20 +0200

openssl (0.9.5a-4) unstable; urgency=low

  * include edg_rand_bytes patch from and for apache-ssl

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 23 Sep 2000 16:48:06 +0200

openssl (0.9.5a-3) unstable; urgency=low

  * fix call to dh_makeshlibs to create correct shlibs file and make
    dependend programs link correctly (closes: Bug#61658)
  * include a note in README.debian concerning the location of the
    subcommand manpages (closes: Bug#69809)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 16 Sep 2000 19:10:50 +0200

openssl (0.9.5a-2) unstable; urgency=low

  * try to fix the sharedlib problem. change soname of library
  (closes: Bug#4622, #66102, #66538, #66123)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 12 Jul 2000 03:26:30 +0200

openssl (0.9.5a-1) unstable; urgency=low

  * new upstream version (major changes see file NEWS) (closes: Bug#63976,
    #65239, #65358)
  * new library package libssl095a because of probably changed library
    interface (closes: Bug#46222)
  * added architecture mips and mipsel (closes: Bug#62437, #60366)
  * provide shlibs.local file in build to help build if libraries are not
    yet installed (closes: Bug#63984)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 11 Jun 2000 15:17:35 +0200

openssl (0.9.4-5) frozen unstable; urgency=medium

  * cleanup of move of doc directories to /usr/share/doc (closes:
    Bug#56430)
  * lintian issues (closes: Bug#49358)
  * move demos from openssl to libssl09-dev (closes: Bug#59201)
  * move to debhelpers

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 11 Mar 2000 10:38:04 +0100

openssl (0.9.4-4) unstable; urgency=medium

  * Added 'debian-arm' in 'Configure'. (closes: Bug#54251, #54766)
  * Fixed Configure for 'debian-m68k' (closes: Bug#53636)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 15 Jan 2000 13:16:18 +0100

openssl (0.9.4-3) unstable; urgency=low

  * define symbol SSLeay_add_ssl_algorithms for backward compatibility
    (closes: Bug#46882)
  * remove manpages from /usr/doc/openssl (closes: Bug#46791)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 14 Oct 1999 16:51:08 +0200

openssl (0.9.4-2) unstable; urgency=low

  * include some more docu in pod format (Bug #43933)
  * removed -mv8 from sparc flags (Bug #44769)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 14 Sep 1999 22:04:06 +0200

openssl (0.9.4-1) unstable; urgency=low

  * new upstream version (Closes: #42926)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 28 Aug 1999 17:04:23 +0200

openssl (0.9.3a-1) unstable; urgency=low

  * new upstream version (Bug #38345, #38627)
  * sparc is big-endian (Bug #39973)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  7 Jul 1999 16:03:37 +0200

openssl (0.9.2b-3) unstable; urgency=low

  * correct move conffiles to /etc/ssl (Bug #38570)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 31 May 1999 21:08:07 +0200

openssl (0.9.2b-2) unstable; urgency=low

  * added convenience package ssleay to help upgrade to openssl (Bug
    #37185, #37623, #36326)
  * added some missing dependencies from libssl09 (Bug #36681, #35867,
    #36326)
  * move lib*.so to libssl09-dev (Bug #36761)
  * corrected version numbers of library files
  * introduce link from /usr/lib/ssl to /etc/ssl (Bug #36710)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 23 May 1999 14:57:48 +0200

openssl (0.9.2b-1) unstable; urgency=medium

  * First openssl version

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 31 Mar 1999 15:54:26 +0200

ssleay (0.9.0b-2) unstable; urgency=low

  * Include message about the (not)usage of RSAREF (#24409)
  * Move configfiles from /usr/lib/ssl to /etc/ssl (#26406)
  * Change definitions for sparc (#26487)
  * Added missing dependency (#28591)
  * Make debian/libtool executable (#29708)
  * /etc/ssl/lib/ssleay.cnf is now a confile (#32624)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 21 Mar 1999 19:41:04 +0100

ssleay (0.9.0b-1) unstable; urgency=low

  * new upstream version (Bug #21227, #25971)
  * build shared libraries with -fPIC (Bug #20027)
  * support sparc architecture (Bug #28467)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 13 Oct 1998 10:20:13 +0200

ssleay (0.8.1-7) frozen unstable; urgency=high

  * security fix patch to 0.8.1b (bug #24022)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  6 Jul 1998 15:42:15 +0200

ssleay (0.8.1-6) frozen unstable; urgency=low

  * second try to fix bug #15235 (copyright was still missing)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 22 Jun 1998 08:56:27 +0200

ssleay (0.8.1-5) frozen unstable; urgency=high

  * changed /dev/random to /dev/urandom (Bug #23169, #17817)
  * copyright contains now the full licence (Bug #15235)
  * fixed bug #19410 (md5sums-lists-nonexisting-file)
  * added demos to /usr/doc (Bug #17372)
  * fixed type in package description (Bug #18969)
  * fixed bug in adding documentation (Bug #21463)
  * added patch for support of debian-powerpc (Bug #21579)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 18 Jun 1998 23:09:13 +0200

ssleay (0.8.1-4) unstable; urgency=low

  * purged dependency from libc5

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 11 Nov 1997 15:31:50 +0100

ssleay (0.8.1-3) unstable; urgency=low

  * changed packagename libssl to libssl08 to get better dependancies

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri,  7 Nov 1997 14:23:17 +0100

ssleay (0.8.1-2) unstable; urgency=low

  * linked shared libraries against libc6
  * use /dev/random for randomseed

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  5 Nov 1997 11:21:40 +0100

ssleay (0.8.1-1) unstable; urgency=low

  * new upstream version

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 16 Oct 1997 16:15:43 +0200

ssleay (0.6.6-2) unstable; urgency=low

  * cleanup in diffs
  * removed INSTALL from docs (bug #13205)
  * split libssl and libssl-dev (but #13735)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 15 Oct 1997 17:38:38 +0200

ssleay (0.6.6-1) unstable; urgency=low

  * New upstream version
  * added shared libraries for libcrypto and libssl

 -- Christoph Martin <martin@uni-mainz.de>  Thu, 26 Jun 1997 19:26:14 +0200

ssleay (0.6.4-2) unstable; urgency=low

  * changed doc filenames from .doc to .txt to be able to read them
    over with webbrowser

 -- Christoph Martin <martin@uni-mainz.de>  Tue, 25 Feb 1997 14:02:53 +0100

ssleay (0.6.4-1) unstable; urgency=low

  * Initial Release.

 -- Christoph Martin <martin@uni-mainz.de>  Fri, 22 Nov 1996 21:29:51 +0100
