File: changelog

package info (click to toggle)
openssl 1.1.1c-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 46,168 kB
  • sloc: ansic: 495,715; perl: 168,767; asm: 6,232; sh: 1,917; cpp: 1,752; makefile: 132; lisp: 35; python: 29
file content (2352 lines) | stat: -rw-r--r-- 87,885 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
openssl (1.1.1c-1) unstable; urgency=medium

  * New upstream version
   - CVE-2019-1543 (Prevent over long nonces in ChaCha20-Poly1305)
  * Update symbol list

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 30 May 2019 17:27:48 +0200

openssl (1.1.1b-2) unstable; urgency=medium

  * Fix BUF_MEM regression (Closes: #923516)
  * Fix error when config can't be opened (Closes: #926315)
  * Ship an openssl.cnf in libssl1.1-udeb.dirs

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 16 Apr 2019 21:31:11 +0200

openssl (1.1.1b-1) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Add Breaks on lighttpd (Closes: #913558).

  [ Kurt Roeckx ]
  * New upstream version
  * Update symbol list

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 26 Feb 2019 19:52:12 +0100

openssl (1.1.1a-1) unstable; urgency=medium

  * Add Breaks on python-boto (See: #909545)
  * New upstream version
   - CVE-2018-0734 (Timing vulnerability in DSA signature generation)
   - CVE-2018-0735 (Timing vulnerability in ECDSA signature generation)
   - Update symbol file for 1.1.1a

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 22 Nov 2018 19:40:54 +0100

openssl (1.1.1-2) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Add Breaks on isync (See: #906955)
  * Fix autopkgtest (Closes: #910459)

  [ Kurt Roeckx ]
  * Add Breaks on python-imaplib2 (See: #907079)
  * Add news entry regarding default TLS version and security level
    (Closes: #875423, #907631, #911389, #912067).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 28 Oct 2018 23:52:24 +0100

openssl (1.1.1-1) unstable; urgency=medium

  * New upstream version.
   - Update symbol file for 1.1.1
   - CVE-2018-0732 (actually since pre8).
  * Add Breaks on python-httplib2 (See: #907278)
  * Add hardening=+all.
  * Update to policy 4.2.1
    - Less verbose testsuite with terse
    - Use RRR=no

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 12 Sep 2018 20:39:24 +0200

openssl (1.1.1~~pre9-1) unstable; urgency=medium

  * New upstream version.
    - Support the final TLS 1.3 version (RFC 8446)
  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 21 Aug 2018 21:00:17 +0200

openssl (1.1.1~~pre8-1) experimental; urgency=medium

  * New upstream version.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 05 Jul 2018 00:21:00 +0200

openssl (1.1.1~~pre7-1) experimental; urgency=medium

  * Drop afalgeng on kfreebsd-* which go enabled because they inherit from
    the linux target.
  * Fix debian-rules-sets-dpkg-architecture-variable.
  * Update to policy 4.1.4
    - only Suggest: libssl-doc instead Recommends (only documentation and
      example code is shipped).
    - drop Priority: important.
    - use signing-key.asc and a https links for downloads
  * Use compat 11.
    - this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
      seems to make sense.
  * Add a 25-test_verify.t for autopkgtest which runs against intalled
    openssl binary.
  * Fix CVE-2018-0737 (Closes: #895844).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 30 May 2018 19:49:26 +0200

openssl (1.1.1~~pre6-2) experimental; urgency=medium

  * Update libssl1.1.symbols

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 May 2018 16:34:27 +0200

openssl (1.1.1~~pre6-1) experimental; urgency=medium

  * New upstream version
  * Increase default security level from 1 to 2. This moves from the 80 bit
    security level to the 112 bit securit level and will require 2048 bit RSA
    and DHE keys.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 May 2018 16:00:55 +0200

openssl (1.1.1~~pre4-1) experimental; urgency=medium

  * Update to 1.1.1-pre4 (Closes: #892276, #894282).
  * Add riscv64 target (Closes: #891797).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 03 Apr 2018 21:41:55 +0200

openssl (1.1.1~~pre3-1) experimental; urgency=medium

  * Update to 1.1.1-pre3
  * Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
  * Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
  * Enable system default config to enforce TLS1.2 as a minimum.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 21 Mar 2018 00:01:08 +0100

openssl (1.1.1~~pre2-1) experimental; urgency=medium

  * Update to 1.1.1-pre2

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 27 Feb 2018 21:25:09 +0100

openssl (1.1.1~~pre1-1) experimental; urgency=medium

  * Abort the build if symbols are discovered which are not part of the
    symbols file.
  * Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
  * Enable afalgeng on Linux targets (Closes: #888305)
  * Update 1.1.1-pre1.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 25 Feb 2018 21:03:52 +0100

openssl (1.1.0g-2) unstable; urgency=high

  * Avoid problems with aes assembler on armhf using binutils 2.29

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 04 Nov 2017 12:48:13 +0100

openssl (1.1.0g-1) unstable; urgency=medium

  [ Kurt Roeckx ]
  * New upstream version
    - Fixes CVE-2017-3735
    - Fixes CVE-2017-3736
  * Remove patches applied upstream
  * Temporary enable TLS 1.0 and 1.1 again (#875423)
  * Attempt to fix testsuite race condition
  * update no-symbolic.patch to apply

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 02 Nov 2017 15:22:48 +0100

openssl (1.1.0f-5) unstable; urgency=medium

  * Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
    version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
    calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version().

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 08 Aug 2017 16:13:54 +0200

openssl (1.1.0f-4) unstable; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Add support for arm64ilp32, patch by Wookey (Closes: #867240)

  [ Kurt Roeckx ]
  * Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
    version. This will likely break things, but the hope is that by
    the release of Buster everything will speak at least TLS 1.2. This will be
    reconsidered before the Buster release.
  * Fix a race condition in the test suite (Closes: #869856)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 07 Aug 2017 01:08:45 +0200

openssl (1.1.0f-3) unstable; urgency=medium

  * Don't cleanup a thread-local key we didn't create it (Closes: #863707)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 05 Jun 2017 11:40:42 +0200

openssl (1.1.0f-2) unstable; urgency=medium

  * Make the udeb use a versioned depends (Closes: #864080)
  * Conflict with libssl1.0-dev (Closes: #863367)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 04 Jun 2017 12:07:38 +0200

openssl (1.1.0f-1) unstable; urgency=medium

  * New upstream version
    - Fix regression in req -x509 (Closes: #839575)
    - Properly detect features on the AMD Ryzen processor (Closes: #861145)
    - Don't mention -tls1_3 in the manpage (Closes: #859191)
  * Update libssl1.1.symbols for new symbols
  * Update man-section.patch

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 25 May 2017 18:29:01 +0200

openssl (1.1.0e-2) unstable; urgency=medium

  * Make openssl depend on perl-base (Closes: #860254)

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 01 May 2017 21:50:37 +0200

openssl (1.1.0e-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2017-3733
    - Remove patches that are applied upstream.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 16 Feb 2017 18:57:58 +0100

openssl (1.1.0d-2) unstable; urgency=medium

  * Fix building of arch and all packages in a minimal environment
    (Closes: #852900).
  * Fix precomputing SHA1 by adding the following patches from upstream:
    - Add-a-couple-of-test-to-check-CRL-fingerprint.patch
    - Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
    - X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
    (Closes: #852920).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 30 Jan 2017 23:20:07 +0100

openssl (1.1.0d-1) unstable; urgency=medium

  * New Upstream release
    - Fixes CVE-2017-3731
    - Fixes CVE-2017-3730
    - Fixes CVE-2017-3732
    - drop revert_ssl_read.patch and
      0001-Add-missing-zdelete-for-some-linux-arches.patch, applied upstream.
  * add new symbols.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 26 Jan 2017 16:38:34 +0100

openssl (1.1.0c-4) unstable; urgency=medium

  * Make build-indep build again.
  * Don't depend on perl:any in openssl as it breaks debootstrap
   ("Closes: #852017).

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 20 Jan 2017 22:18:15 +0100

openssl (1.1.0c-3) unstable; urgency=medium

  * Add myself as Uploader.
  * Add support for tilegx, patch by Helmut Grohne (Closes: #848957).
  * redo the rules file to some newer debhelper:
    - everyfile should remain, nothing should get lost
    - the scripts in the doc package gained an exec bit
    - openssl gained a dep on perl (the package contains perl scripts)
    - libssl1.0.2-dbg is gone, we have dbgsym now
    - dh compat 10
    - pkg.install instead of pkg.files is used for install
  * Mark libssl-doc as MA foreign
  * Update Standards-Version from 3.9.5 to 3.9.8. No changes required.
  * Document the change for openssl's enc command between 1.1.0 and pre 1.1.0
    in the NEWS file (Closes: #843064).
  * Add an override for lintian for the non-standard private directory

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 19 Jan 2017 23:00:01 +0100

openssl (1.1.0c-2) unstable; urgency=medium

  * Revert behaviour of SSL_read() and SSL_write(), and update documentation.
    (Closes: #844234)
  * Add missing -zdelete on x32 (Closes: #844715)
  * Add a Breaks on salt-common. Addresses #844706

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 21 Nov 2016 22:20:00 +0100

openssl (1.1.0c-1) unstable; urgency=medium

  * New upstrem release
    - Fix CVE-2016-7053
    - Fix CVE-2016-7054
    - Fix CVE-2016-7055
  * remove no-rpath.patch, applied upstream.
  * Remove old d2i test cases, use the one from the upstream tarball.
  * Update libssl1.1.symbols for new sysmbols.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 10 Nov 2016 19:05:44 +0100

openssl (1.1.0b-2) unstable; urgency=low

  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 Nov 2016 22:02:32 +0100

openssl (1.1.0b-1) experimental; urgency=medium

  * New upstream release
    - Fixes CVE-2016-6309

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 26 Sep 2016 18:21:09 +0200

openssl (1.1.0a-1) experimental; urgency=medium

  * New upstream release
    - Fix CVE-2016-6304
    - Fix CVE-2016-6305
    - Fix CVE-2016-6307
    - Fix CVE-2016-6308
  * Update c_rehash-compat.patch to apply to new version.
  * Update symbol file.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 22 Sep 2016 20:13:59 +0200

openssl (1.1.0-1) experimental; urgency=medium

  [ Kurt Roeckx ]
  * New upstream version
  * Use Package-Type instead of XC-Package-Type
  * Remove "Priority: optional" in the binary packages.
  * Add Homepage
  * Use dpkg-buildflags's LDFLAGS also for building the shared libraries.

  [ Sebastian Andrzej Siewior ]
  * drop config-hurd.patch, we don't use `config' and it works without the
    patch.
  * Drop depend on zlib1g-dev since we don't use it anymore (Closes: #767207)
  * Make the openssl package Multi-Arch: foregin (Closes: #827028)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 25 Aug 2016 18:52:22 +0200

openssl (1.1.0~pre6-1) experimental; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * drop engines-path.patch. Upstream uses a 1.1 suffixes now.

  [ Kurt Roeckx ]
  * New upstream version
  * Drop upstream snapshot
  * Update symbols file
  * Use some https instead of http URLs

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 04 Aug 2016 18:33:24 +0200

openssl (1.1.0~pre5-5) experimental; urgency=medium

  * Update snapshot to commit fe964f0c88f6780fd30b26e306484b981b0a8480

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 02 Jul 2016 14:54:51 +0200

openssl (1.1.0~pre5-4) experimental; urgency=medium

  * Update snapshot to commit c32bdbf171ce6650ef045ec47b5abe0de7c264db
  * Remove utils-mkdir-p-check-if-dir-exists-also-after-mkdir-f.patch, applied
    upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 26 Jun 2016 15:07:48 +0200

openssl (1.1.0~pre5-3) experimental; urgency=medium

  [ Kurt Roeckx ]
  * Don't use assembler on hppa, it's not writen for Linux.

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 10 Jun 2016 22:33:06 +0200

openssl (1.1.0~pre5-2) experimental; urgency=medium

  [ Sebastian Andrzej Siewior ]
  * Run the testsuite with verbose output.
  * Use $(MAKE) so the whole make environment is passed to its child and we
    can build in parallel with -jX
  * Update snapshot to commit 5000a6d1215e ("Fix an error path leak in int
    X509_ATTRIBUTE_set1_data()")

 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 10 Jun 2016 21:49:55 +0200

openssl (1.1.0~pre5-1) experimental; urgency=medium

  * New upstream version with soname change.  Upload to experimental.
    - Rename binary packages
    - Remove patches:
      - block_diginotar.patch: All cross certificates expired in 2013
      - block_digicert_malaysia.patch: intermediate certificates expired in
        2015
      - man-dir.patch: Fixed upstream
      - valgrind.patch: Upstream no longer adds the uninitialized data to the
        RNG
      - shared-lib-ext.patch: No longer needed
      - version-script.patch: Upstream does symbol versioning itself now
      - disable_freelist.patch: No longer needed
      - soname.patch: Was to change to the 1.0.2 soname that upstream never had
      - disable_sslv3_test.patch: Fixed upstream
      - libdoc-manpgs-pod-spell.patch: Fixed upstream (Closes: #813191)
    - Rewrite debian-targets.patch to work with the new configuration system.
    - Update other patches to apply
    - Update list of install docs
    - Use DESTDIR instead of INSTALL_PREFIX
    - Clean up more files
    - Remove the configure option enable-tlsext no-ssl2 since they're no
      longer supported.
  * Add upstream snapshot:
    - Add d2i-tests.tar to get new binary test files.
  * Don't build i686 optimized version anymore on i386, it's now the default.
    (Closes: #823774)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 28 May 2016 20:58:31 +0200

openssl (1.0.2h-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2016-2107
    - Fixes CVE-2016-2105
    - Fixes CVE-2016-2106
    - Fixes CVE-2016-2109
    - Fixes CVE-2016-2176

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 03 May 2016 18:31:22 +0200

openssl (1.0.2g-2) unstable; urgency=medium

  * Use assembler of arm64 (Closes: #794326)
    Patch from Riku Voipio <riku.voipio@iki.fi>
  * Add a udeb for libssl, based on similar changes done in Ubuntu
    starting in version 0.9.8o-4ubuntu1 (Closes: #802591)
    Patch from Margarita Manterola <marga@google.com>
  * Add support for nios2 (Closes: #816239)
    Based on patch from Marek Vasut <marex@denx.de>
  * Update Spanish translation from Manuel "Venturi" Porras Peralta
    <venturi@openmailbox.org> (Closes: #773601)
  * Don't build an i586 optimized version anymore, the default
    already targets that.  Patch from Sven Joachim <svenjoac@gmx.de>
    (Closes: #759811)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 21 Apr 2016 23:43:06 +0200

openssl (1.0.2g-1) unstable; urgency=high

  * New upstream version
  * Fix CVE-2016-0797
  * Fix CVE-2016-0798
  * Fix CVE-2016-0799
  * Fix CVE-2016-0702
  * Fix CVE-2016-0705
  * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800)
    makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them
    too.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 01 Mar 2016 18:31:09 +0100

openssl (1.0.2f-2) unstable; urgency=high

  * New upstream version.
    - Fixes CVE-2016-0701
    - Not affected by CVE-2015-3197 because SSLv2 is disabled.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 28 Jan 2016 19:32:02 +0100

openssl (1.0.2e-1) unstable; urgency=high

  * New upstream release
    - Fix CVE-2015-3193
    - Fix CVE-2015-3194
    - Fix CVE-2015-3195
    - Fix CVE-2015-3196
  * Remove all symlinks during clean
  * Run make depend after configure
  * Remove openssl_button.* from the doc package

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 03 Dec 2015 19:33:05 +0100

openssl (1.0.2d-3) unstable; urgency=medium

  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 01 Nov 2015 19:14:34 +0100

openssl (1.0.2d-2) experimental; urgency=medium

  * Build with no-ssl3-method to remove all SSLv3 support.  This results in
    the functions SSLv3_method(), SSLv3_server_method() and
    SSLv3_client_method() being removed from libssl.  Change the soname as
    result of that and also changes name of the binary package.
    (Closes: #768476)
  * Enable rfc3779 and cms support (Closes: #630790)
  * Fix cross compilation for mips architectures. (Closes: #782492)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 06 Sep 2015 14:21:27 +0200

openssl (1.0.2d-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2015-1793

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 09 Jul 2015 18:22:26 +0200

openssl (1.0.2c-1) unstable; urgency=medium

  * New upstream version
    - Fixes ABI (Closes: #788511)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 12 Jun 2015 20:35:12 +0200

openssl (1.0.2b-1) unstable; urgency=high

  * New upstream version
    - Fix CVE-2015-4000
    - Fix CVE-2015-1788
    - Fix CVE-2015-1789
    - Fix CVE-2015-1790
    - Fix CVE-2015-1792
    - Fix CVE-2015-1791
  * Update c_rehash-compat.patch to make it apply to the new version.
  * Remove openssl-pod-misspell.patch applied upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 11 Jun 2015 18:20:38 +0200

openssl (1.0.2a-1) unstable; urgency=medium

  * New upstrema version
    - Fix CVE-2015-0286
    - Fix CVE-2015-0287
    - Fix CVE-2015-0289
    - Fix CVE-2015-0293 (not affected, SSLv2 disabled)
    - Fix CVE-2015-0209
    - Fix CVE-2015-0288
    - Fix CVE-2015-0291
    - Fix CVE-2015-0290
    - Fix CVE-2015-0207
    - Fix CVE-2015-0208
    - Fix CVE-2015-1787
    - Fix CVE-2015-0285
  * Temporary enable SSLv3 methods again, but they will go away.
  * Don't set TERMIO anymore, use the default TERMIOS instead.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 30 Apr 2015 23:37:27 +0200

openssl (1.0.2-1) experimental; urgency=medium

  * New upstream release
    - Fixes CVE-2014-3571
    - Fixes CVE-2015-0206
    - Fixes CVE-2014-3569
    - Fixes CVE-2014-3572
    - Fixes CVE-2015-0204
    - Fixes CVE-2015-0205
    - Fixes CVE-2014-8275
    - Fixes CVE-2014-3570
    - Drop git_snapshot.patch
  * Drop gnu_source.patch, dgst_hmac.patch, stddef.patch,
    no_ssl3_method.patch: applied upstream
  * Update patches to apply

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 23 Jan 2015 18:54:13 +0100

openssl (1.0.2~beta3-1) experimental; urgency=low

  * New usptream beta version
  * Add git snapshot
  * Merge changes between 1.0.1h-3 and 1.0.1j-1:
    - Disables SSLv3 because of CVE-2014-3566
  * Drop patch rehash-crt.patch: partially applied upstream.
    c_rehash now doesn't support files in DER format anymore.
  * Drop patch rehash_pod.patch: applied upstream
  * Update c_rehash-compat.patch to apply to new upstream version.  This
    undoes upstream's "-old" option and creates both the new and old again.
    It now also does it for CRLs.
  * Drop defaults.patch, applied upstream
  * dgst_hmac.patch updated to apply to upstream version.
  * engines-path.patch updated to apply to upstream version.
  * Update list of exported symbols
  * Update symbols files to require beta3
  * Enable unit tests
  * Add patch to add support for the no-ssl3-method option that completly
    disable SSLv3 and pass the option.  This drops the following functions
    from the library: SSLv3_method, SSLv3_server_method and
    SSLv3_client_method
  * Build using OPENSSL_NO_BUF_FREELISTS

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 07 Nov 2014 00:20:10 +0100

openssl (1.0.2~beta2-1) experimental; urgency=medium

  * New usptream beta version
    - Fix CVE-2014-0224
    - Fix CVE-2014-0221
    - Fix CVE-2014-0195
    - Fix CVE-2014-3470
    - Fix CVE-2014-0198
    - Fix CVE-2010-5298
    - Fix CVE-2014-0160
    - Fix CVE-2014-0076
  * Merge changes between 1.0.1f-1 and 1.0.1h-3:
    - postinst: Updated check for restarting services
  * libdoc-manpgs-pod-spell.patch and openssl-pod-misspell.patch
    partially applied upstream
  * Drop fix-pod-errors.patch, applied upstream.
  * Add support for ppc64le (Closes: #745657)
  * Add support for OpenRISC (Closes: #736772)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 23 Jul 2014 19:54:09 +0200

openssl (1.0.2~beta1-1) experimental; urgency=medium

  * New upstream beta version
    - Update list of symbols that should be exported and adjust the symbols
      file.  This also removes a bunch of duplicate symbols in the linker
      file.
    - Fix additional pod errors
    - Following patches have been applied upstream and are removed:
      libssl-misspell.patch, pod_req_misspell2.patch,
      pod_pksc12.misspell.patch, pod_s_server.misspell.patch,
      pod_x509setflags.misspell.patch, pod_ec.misspell.patch,
      pkcs12-doc.patch, req_bits.patch
    - Following patches have been partially applied upstream:
      libdoc-manpgs-pod-spell.patch, openssl-pod-misspell.patch
    - Remove openssl_fix_for_x32.patch, different patch applied upstream.
  * Add support for cross compiling (Closes: #465248)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 25 Feb 2014 00:36:51 +0100

openssl (1.0.1f-1) unstable; urgency=high

  * New upstream version
    - Fix for TLS record tampering bug CVE-2013-4353
    - Drop the snapshot patch
  * update watch file to check for upstream signature and add upstream pgp key.
  * Drop conflicts against openssh since we now on a released version again.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 06 Jan 2014 18:50:54 +0100

openssl (1.0.1e-6) unstable; urgency=medium

  * Add Breaks: openssh-client (<< 1:6.4p1-1.1), openssh-server (<<
    1:6.4p1-1.1).  This is to prevent people running into #732940.
    This Breaks can be removed again when we stop using a git snapshot.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 23 Dec 2013 15:19:17 +0100

openssl (1.0.1e-5) unstable; urgency=low

  * Change default digest to SHA256 instead of SHA1.  (Closes: #694738)
  * Drop support for multiple certificates in 1 file.  It never worked
    properly in the first place, and the only one shipping in
    ca-certificates has been split.
  * Fix libdoc-manpgs-pod-spell.patch to only fix spalling errors
  * Remove make-targets.patch.  It prevented the test dir from being cleaned.
  * Update to a git snapshot of the OpenSSL_1_0_1-stable branch.
    - Fixes CVE-2013-6449 (Closes: #732754)
    - Fixes CVE-2013-6450
    - Drop patches ssltest_no_sslv2.patch cpuid.patch aesni-mac.patch
      dtls_version.patch get_certificate.patch, since they where all
      already commited upstream.
    - adjust fix-pod-errors.patch for the reordering of items in the
      documentation they've done trying to fix those pod errors.
    - disable rdrand engine by default (Closes: #732710)
  * disable zlib support.  Fixes CVE-2012-4929 (Closes: #728055)
  * Add arm64 support (Closes: #732348)
  * Properly use the default number of bits in req when none are given

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 22 Dec 2013 19:25:35 +0100

openssl (1.0.1e-4) unstable; urgency=low

  [ Peter Michael Green ]
  * Fix pod errors (Closes: #723954)
  * Fix clean target

  [ Kurt Roeckx ]
  * Add mipsn32 and mips64 targets.  Patch from Eleanor Chen
    <chenyueg@gmail.com>  (Closes: #720654)
  * Add support for nocheck in DEB_BUILD_OPTIONS
  * Update Norwegian translation (Closes: #653574)
  * Update description of the packages.  Patch by Justin B Rye
    (Closes: #719262)
  * change to debhelper compat level 9:
    - change dh_strip call so only the files from libssl1.0.0 get debug
      symbols.
    - change dh_makeshlibs call so the engines don't get added to the
      shlibs
  * Update Standards-Version from 3.8.0 to 3.9.5.  No changes required.

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 01 Nov 2013 17:11:53 +0100

openssl (1.0.1e-3) unstable; urgency=low

  * Move <openssl/opensslconf.h> to /usr/include/$(DEB_HOST_MULTIARCH), and
    mark libssl-dev Multi-Arch: same.
    Patch by Colin Watson <cjwatson@ubuntu.com> (Closes: #689093)
  * Add Polish translation (Closes: #658162)
  * Add Turkish translation (Closes: #660971)
  * Enable assembler for the arm targets, and remove armeb.
    Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533)
  * Add support for x32 (Closes: #698406)
  * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 20 May 2013 16:56:06 +0200

openssl (1.0.1e-2) unstable; urgency=high

  * Bump shlibs.  It's needed for the udeb.
  * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
  * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
  * Fix problem with DTLS version check (Closes: #701826)
  * Fix segfault in SSL_get_certificate (Closes: #703031)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 18 Mar 2013 20:37:11 +0100

openssl (1.0.1e-1) unstable; urgency=high

  * New upstream version (Closes: #699889)
    - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
    - Drop renegiotate_tls.patch, applied upstream
    - Export new CRYPTO_memcmp symbol, update symbol file
  * Add ssltest_no_sslv2.patch so that "make test" works.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 11 Feb 2013 19:39:44 +0100

openssl (1.0.1c-5) unstable; urgency=low

  * Re-enable assembler versions on sparc.  They shouldn't have
    been disabled for sparc v9.  (Closes: #649841)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 09 Sep 2012 08:43:40 +0200

openssl (1.0.1c-4) unstable; urgency=low

  * Fix the configure rules for alpha (Closes: #672710)
  * Switch the postinst to sh again, there never was a reason to
    switch it to bash (Closes: #676398)
  * Fix pic.patch to not use #ifdef in x86cpuid.s, only .S files are
    preprocessed.  We generate the file again for pic anyway.
    (Closes: #677468)
  * Drop Breaks against openssh as it was only for upgrades
    between versions that were only in testing/unstable.
    (Closes: #668600)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 17 Jul 2012 11:49:19 +0200

openssl (1.0.1c-3) unstable; urgency=low

  * Disable padlock engine again, causes problems for hosts not supporting it.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 06 Jun 2012 18:29:37 +0200

openssl (1.0.1c-2) unstable; urgency=high

  * Fix renegiotation when using TLS > 1.0.  This breaks tor.  Patch from
    upstream.  (Closes: #675990)
  * Enable the padlock engine by default.
  * Change default bits from 1024 to 2048 (Closes: #487152)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 06 Jun 2012 00:55:42 +0200

openssl (1.0.1c-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-2333 (Closes: #672452)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 11 May 2012 18:44:51 +0200

openssl (1.0.1b-1) unstable; urgency=high

  * New upstream version
    - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
      can talk to servers supporting TLS 1.1 but not TLS 1.2
    - Drop rc4_hmac_md5.patch, applied upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 26 Apr 2012 23:34:34 +0200

openssl (1.0.1a-3) unstable; urgency=low

  * Use patch from upstream for the rc4_hmac_md5 issue.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 19 Apr 2012 23:16:30 +0200

openssl (1.0.1a-2) unstable; urgency=low

  * Fix rc4_hmac_md5 on non-i386/amd64 arches.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 19 Apr 2012 21:54:42 +0200

openssl (1.0.1a-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-2110
    - Fix crash in rc4_hmac_md5 (Closes: #666405)
    - Fixes some issues with talking to other servers when TLS 1.1 and 1.2 is
      supported
    - Drop patches no_ssl2.patch vpaes.patch tls1.2_client_algorithms.patch,
      applied upstream.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 19 Apr 2012 19:54:12 +0200

openssl (1.0.1-4) unstable; urgency=low

  * Use official patch for the vpaes problem, also covering amd64.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 31 Mar 2012 20:54:13 +0200

openssl (1.0.1-3) unstable; urgency=high

  * Fix crash in vpaes (Closes: #665836)
  * use client version when deciding whether to send supported signature
    algorithms extension

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 31 Mar 2012 18:35:59 +0200

openssl (1.0.1-2) unstable; urgency=low

  * Properly quote the new cflags in Configure

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 19 Mar 2012 19:56:05 +0100

openssl (1.0.1-1) unstable; urgency=low

  * New upstream version
    - Remove kfreebsd-pipe.patch, fixed upstream
    - Update pic.patch, openssl-pod-misspell.patch and make-targets.patch
    - Add OPENSSL_1.0.1 to version-script.patch and libssl1.0.0.symbols for
      the new functions.
    - AES-NI support (Closes: #644743)
  * pic.patch: upstream made OPENSSL_ia32cap_P and OPENSSL_cpuid_setup
    hidden on amd64, no need to access it PIC anymore.
  * pic.patch: Make OPENSSL_ia32cap_P hidden on i386 too (Closes: #663977)
  * Enable hardening using dpkg-buildflags (Closes: #653495)
  * s_client and s_server were forcing SSLv3 only connection when SSLv2 was
    disabled instead of the SSLv2 with upgrade method.  (Closes: #664454)
  * Add Breaks on openssh < 1:5.9p1-4, it has a too strict version check.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 19 Mar 2012 18:23:32 +0100

openssl (1.0.0h-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-0884
    - Fixes CVE-2012-1165
    - Properly fix CVE-2011-4619
    - pkg-config.patch applied upstream, remove it.
  * Enable assembler for all i386 arches.  The assembler does proper
    detection of CPU support, including cpuid support.
    This should fix a problem with AES 192 and 256 with the padlock
    engine because of the difference in NO_ASM between the between
    the i686 optimized library and the engine.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 13 Mar 2012 21:08:17 +0100

openssl (1.0.0g-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2012-0050

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 18 Jan 2012 20:46:13 +0100

openssl (1.0.0f-1) unstable; urgency=high

  * New upstream version
    - Fixes CVE-2011-4108, CVE-2011-4576, CVE-2011-4619, CVE-2012-0027,
      CVE-2011-4577

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 12 Jan 2012 19:02:43 +0100

openssl (1.0.0e-3) unstable; urgency=low

  * Don't build v8 and v9 variants of sparc anymore, they're older than
    the default.  (Closes: #649841)
  * Don't build i486 optimized version, that's the default anyway, and
    it uses assembler that doesn't always work on i486.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 28 Nov 2011 22:17:26 +0100

openssl (1.0.0e-2.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Block Malaysian's Digicert Sdn. Bhd. certificates by marking them
    as revoked.

 -- Raphael Geissert <geissert@debian.org>  Sun, 06 Nov 2011 01:39:30 -0600

openssl (1.0.0e-2) unstable; urgency=low

  * Add a missing $(DEB_HOST_MULTIARCH)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 10 Sep 2011 17:02:29 +0200

openssl (1.0.0e-1) unstable; urgency=low

  * New upstream version
    - Fix bug where CRLs with nextUpdate in the past are sometimes accepted
      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
    - Fix SSL memory handling for (EC)DH ciphersuites, in particular
      for multi-threaded use of ECDH. (CVE-2011-3210)
    - Add protection against ECDSA timing attacks (CVE-2011-1945)
  * Block DigiNotar certifiates.  Patch from
    Raphael Geissert <geissert@debian.org>
  * Generate hashes for all certs in a file (Closes: #628780, #594524)
    Patch from Klaus Ethgen <Klaus@Ethgen.de>
  * Add multiarch support (Closs: #638137)
    Patch from Steve Langasek / Ubuntu
  * Symbols from the gost engine were removed because it didn't have
    a linker file.  Thanks to Roman I Khimov <khimov@altell.ru>
    (Closes: #631503)
  * Add support for s390x.  Patch from Aurelien Jarno <aurel32@debian.org>
    (Closes: #641100)
  * Add build-arch and build-indep targets to the rules file.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 10 Sep 2011 12:03:13 +0200

openssl (1.0.0d-3) unstable; urgency=low

  * Make it build on sparc64.  Patch from Aurelien Jarno.  (Closes: #626060)
  * Apply patches from Scott Schaefer <saschaefer@neurodiverse.org> to
    fix various pod and spelling errors. (Closes: #622820, #605561)
  * Add missing symbols for the engines (Closes: #623038)
  * More spelling fixes from Scott Schaefer (Closes: #395424)
  * Patch from Scott Schaefer to better document pkcs12 password options
    (Closes: #462489)
  * Document dgst -hmac option.  Patch by Thorsten Glaser <tg@mirbsd.de>
    (Closes: #529586)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 13 Jun 2011 12:39:54 +0200

openssl (1.0.0d-2) unstable; urgency=high

  * Make c_rehash also generate the old subject hash.  Gnutls applications
    seem to require it.  (Closes: #611102)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Apr 2011 22:36:49 +0200

openssl (1.0.0d-1) unstable; urgency=low

  * New upstream version
    - Fixes CVE-2011-0014
  * Make libssl-doc Replaces/Breaks with old libssl-dev packages
    (Closes: #607609)
  * Only export the symbols we should, instead of all.
  * Add symbol file.
  * Upload to unstable

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 02 Apr 2011 13:19:19 +0000

openssl (1.0.0c-2) experimental; urgency=low

  * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
  * Always define _GNU_SOURCE, not only for Linux.
  * Drop SSL2 support (Closes: #589706)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 19 Dec 2010 16:24:16 +0100

openssl (1.0.0c-1) experimental; urgency=low

  * New upstream version (Closes: #578376)
    - New soname: Rename library packages
    - Drop patch perl-path.diff, not needed anymore
    - Drop patches CVE-2010-2939.patch, CVE-2010-3864.patch
      and CVE-2010-4180.patch: applied upstream.
    - Update Configure for the new fields for the assembler options
      per arch.  alpha now makes use of assembler.
  * Move man3 manpages and demos to libssl-doc (Closes: #470594)
  * Drop .pod files from openssl package (Closes: #518167)
  * Don't use RC4_CHAR on amd64 and drop rc4-amd64.patch
  * Stop using BF_PTR2 on (kfreebd-)amd64.
  * Drop debian-arm from the list of arches.
  * Update arm arches to use BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
    BF_PTR instead of BN_LLONG DES_RISC1
  * ia64: Drop RC4_CHAR, add DES_UNROLL DES_INT
  * powerpc: Use RC4_CHAR RC4_CHUNK DES_RISC1 instead
    of DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX
  * s390: Use RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL instead of BN_LLONG

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 12 Dec 2010 15:37:21 +0100

openssl (0.9.8o-4) unstable; urgency=low

  * Fix CVE-2010-4180 (Closes: #529221)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 06 Dec 2010 20:33:21 +0100

openssl (0.9.8o-3) unstable; urgency=high

  * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709)
  * Re-add the engines.  They were missing since 0.9.8m-1.
    Patch by Joerg Schneider. (Closes: #603693)
  * Not all architectures were build using -g (Closes: #570702)
  * Add powerpcspe support (Closes: #579805)
  * Add armhf support (Closes: #596881)
  * Update translations:
    - Brazilian Portuguese (Closes: #592154)
    - Danish (Closes: #599459)
    - Vietnamese (Closes: #601536)
    - Arabic (Closes: #596166)
  * Generate the proper stamp file so that everything doesn't get build twice.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 16 Nov 2010 19:20:55 +0100

openssl (0.9.8o-2) unstable; urgency=high

  * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 26 Aug 2010 18:25:29 +0200

openssl (0.9.8o-1) unstable; urgency=low

  * New upstream version
    - Add SHA2 algorithms to SSL_library_init().
    - aes-x86_64.pl is now PIC, update pic.patch.
  * Add sparc64 support (Closes: #560240)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 18 Apr 2010 01:42:44 +0200

openssl (0.9.8n-1) unstable; urgency=high

  * New upstream version.
    - Fixes CVE-2010-0740.
    - Drop cfb.patch, applied upstream.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 25 Mar 2010 20:30:52 +0100

openssl (0.9.8m-2) unstable; urgency=low

  * Revert CFB block length change preventing reading older files.
    (Closes: #571810, #571940)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 28 Feb 2010 22:08:49 +0100

openssl (0.9.8m-1) unstable; urgency=low

  * New upstream version
    - Implements RFC5746, reenables renegotiation but requires the extension.
    - Fixes CVE-2009-3245
    - Drop patches CVE-2009-4355.patch, CVE-2009-1378.patch,
      CVE-2009-1377.patch, CVE-2009-1379.patch, CVE-2009-3555.patch,
      CVE-2009-2409.patch, CVE-2009-1387.patch, tls_ext_v3.patch,
      no_check_self_signed.patch: applied upstream
    - pk7_mime_free.patch removed, code rewritten
    - ca.diff partially applied upstream
    - engines-path.patch adjusted, upstream made some minor changes to the
      build system.
    - some flags changed values, bump shlibs.
  * Switch to 3.0 (quilt) source package.
  * Make sure the package is properly cleaned.
  * Add ${misc:Depends} to the Depends on all packages.
  * Fix spelling of extension in the changelog file.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 27 Feb 2010 12:24:03 +0000

openssl (0.9.8k-8) unstable; urgency=high

  * Clean up zlib state so that it will be reinitialized on next use and
    not cause a memory leak.  (CVE-2009-4355, CVE-2008-1678)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Jan 2010 21:26:49 +0100

openssl (0.9.8k-7) unstable; urgency=low

  * Bump the shlibs to require 0.9.8k-1.  The following symbols
    to added between g and k: AES_wrap_key, AES_unwrap_key,
    ASN1_TYPE_set1, ASN1_STRING_set0, asn1_output_data_fn,
    SMIME_read_ASN1, BN_X931_generate_Xpq, BN_X931_derive_prime_ex,
    BN_X931_generate_prime_ex, COMP_zlib_cleanup, CRYPTO_malloc_debug_init,
    int_CRYPTO_set_do_dynlock_callback, CRYPTO_set_mem_info_functions,
    CRYPTO_strdup, CRYPTO_dbg_push_info, CRYPTO_dbg_pop_info,
    CRYPTO_dbg_remove_all_info, OPENSSL_isservice, OPENSSL_init,
    ENGINE_set_load_ssl_client_cert_function,
    ENGINE_get_ssl_client_cert_function, ENGINE_load_ssl_client_cert,
    EVP_CIPHER_CTX_set_flags, EVP_CIPHER_CTX_clear_flags,
    EVP_CIPHER_CTX_test_flags, HMAC_CTX_set_flags, OCSP_sendreq_new
    OCSP_sendreq_nbio, OCSP_REQ_CTX_free, RSA_X931_derive_ex,
    RSA_X931_generate_key_ex, X509_ALGOR_set0, X509_ALGOR_get0,
    X509at_get0_data_by_OBJ, X509_get1_ocsp

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 28 Nov 2009 14:34:26 +0100

openssl (0.9.8k-6) unstable; urgency=low

  * Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 12 Nov 2009 18:10:31 +0000

openssl (0.9.8k-5) unstable; urgency=low

  * Don't check self signed certificate signatures in X509_verify_cert()
    (Closes: #541735)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 11 Sep 2009 15:42:32 +0200

openssl (0.9.8k-4) unstable; urgency=low

  * Split all the patches into a separate files
  * Stop undefinging HZ, the issue on alpha should be fixed.
  * Remove MD2 from digest algorithm table.  (CVE-2009-2409) (Closes: #539899)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 11 Aug 2009 21:19:18 +0200

openssl (0.9.8k-3) unstable; urgency=low

  * Make rc4-x86_64 PIC.  Based on patch from Petr Salinger (Closes: #532336)
  * Add workaround for kfreebsd that can't see the different between
    two pipes.  Patch from Petr Salinger.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 13 Jun 2009 18:15:46 +0200

openssl (0.9.8k-2) unstable; urgency=low

  * Move libssl0.9.8-dbg to the debug section.
  * Use the rc4 assembler on kfreebsd-amd64 (Closes: #532336)
  * Split the line to generate md5-x86_64.s in the Makefile.  This will
    hopefully fix the build issue on kfreebsd that now outputs the file
    to stdout instead of the file.
  * Fix denial of service via an out-of-sequence DTLS handshake message
    (CVE-2009-1387) (Closes: #532037)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 08 Jun 2009 19:05:56 +0200

openssl (0.9.8k-1) unstable; urgency=low

  * New upstream release
    - 0.9.8i fixed denial of service via a DTLS ChangeCipherSpec packet
      that occurs before ClientHello (CVE-2009-1386)
  * Make aes-x86_64.pl use PIC.
  * Fix security issues (Closes: #530400)
    - "DTLS record buffer limitation bug." (CVE-2009-1377)
    - "DTLS fragment handling" (CVE-2009-1378)
    - "DTLS use after free" (CVE-2009-1379)
  * Fixed Configure for hurd: use -mtune=i486 instead of -m486
    Patch by Marc Dequènes (Duck) <duck@hurdfr.org> (Closes: #530459)
  * Add support for avr32 (Closes: #528648)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 16 May 2009 17:33:55 +0200

openssl (0.9.8g-16) unstable; urgency=high

  * Properly validate the length of an encoded BMPString and UniversalString
    (CVE-2009-0590)  (Closes: #522002)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 01 Apr 2009 22:04:53 +0200

openssl (0.9.8g-15) unstable; urgency=low

  * Internal calls to didn't properly check for errors which
    resulted in malformed DSA and ECDSA signatures being treated as
    a good signature rather than as an error.  (CVE-2008-5077)
  * ipv6_from_asc() could write 1 byte longer than the buffer in case
    the ipv6 address didn't have "::" part.  (Closes: #506111)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 05 Jan 2009 21:14:31 +0100

openssl (0.9.8g-14) unstable; urgency=low

  * Don't give the warning about security updates when upgrading
    from etch since it doesn't have any known security problems.
  * Automaticly use engines that succesfully initialised.  Patch
    from the 0.9.8h upstream version.  (Closes: #502177)

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 31 Oct 2008 22:45:14 +0100

openssl (0.9.8g-13) unstable; urgency=low

  * Fix a problem with tlsext preventing firefox 3 from connection.
    Patch from upstream CVS and part of 0.9.8h.
    (Closes: #492758)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 03 Aug 2008 19:47:10 +0200

openssl (0.9.8g-12) unstable; urgency=low

  * add the changelog of the 10.1 NMU to make bugtracking happy

 -- Christoph Martin <Christoph.Martin@Uni-Mainz.DE>  Tue, 22 Jul 2008 14:58:26 +0200

openssl (0.9.8g-11) unstable; urgency=low

  [ Christoph Martin ]
  * updated cs, gl, sv, ru, ro debconf translation (closes: #480926, #480967,
    #482465, #484324, #488595)
  * add Vcs-Svn header (closes: #481654)
  * fix debian-kfreebsd-i386 build flags (closes: #482275)
  * add stunnel4 to restart list (closes: #482111)
  * include fixes from 10.1 NMU by Security team
    - Fix double free in TLS server name extension which leads to a remote
      denial of service (CVE-2008-0891; Closes: #483379).
    - Fix denial of service if the 'Server Key exchange message'
      is omitted from a TLS handshake which could lead to a client
      crash (CVE-2008-1672; Closes: #483379).
      This only works if openssl is compiled with enable-tlsext which is
      done in Debian.
  * fix some lintian warnings
  * update to newest standards version

 -- Christoph Martin <Christoph.Martin@Uni-Mainz.DE>  Thu, 17 Jul 2008 09:53:01 +0200

openssl (0.9.8g-10.1) unstable; urgency=high

  * Non-maintainer upload by the Security team.
  * Fix denial of service if the 'Server Key exchange message'
    is omitted from a TLS handshake which could lead to a client
    crash (CVE-2008-1672; Closes: #483379).
    This only works if openssl is compiled with enable-tlsext which is
    done in Debian.
  * Fix double free in TLS server name extension which leads to a remote
    denial of service (CVE-2008-0891; Closes: #483379).

 -- Nico Golde <nion@debian.org>  Tue, 27 May 2008 11:13:44 +0200

openssl (0.9.8g-10) unstable; urgency=low

  * undefine HZ so that the code falls back to sysconf(_SC_CLK_TCK)
    to fix a build failure on alpha.

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 08 May 2008 17:56:13 +0000

openssl (0.9.8g-9) unstable; urgency=high

  [ Christoph Martin ]
  * Include updated debconf translations (closes: #473477, #461597,
    #461880, #462011, #465517, #475439)

  [ Kurt Roeckx ]
  * ssleay_rand_add() really needs to call MD_Update() for buf.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 07 May 2008 20:32:12 +0200

openssl (0.9.8g-8) unstable; urgency=high

  * Don't add extensions to ssl v3 connections.  It breaks with some
    other software.  (Closes: #471681)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 23 Mar 2008 17:50:04 +0000

openssl (0.9.8g-7) unstable; urgency=low

  * Upload to unstable.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Feb 2008 22:22:29 +0000

openssl (0.9.8g-6) experimental; urgency=low

  * Bump shlibs.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 09 Feb 2008 15:42:22 +0100

openssl (0.9.8g-5) experimental; urgency=low

  * Enable tlsext.  This changes the ABI, but should hopefully
    not cause any problems. (Closes: #462596)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 09 Feb 2008 13:32:49 +0100

openssl (0.9.8g-4) unstable; urgency=low

  * Fix aes ige test speed not to overwrite it's buffer and
    cause segfauls.  Thanks to Tim Hudson (Closes: #459619)
  * Mark some strings in the templates as non translatable.
    Patch from Christian Perrier <bubulle@debian.org> (Closes: #450418)
  * Update Dutch debconf translation (Closes: #451290)
  * Update French debconf translation (Closes: #451375)
  * Update Catalan debconf translation (Closes: #452694)
  * Update Basque debconf translation (Closes: #457285)
  * Update Finnish debconf translation (Closes: #458261)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 16 Jan 2008 21:49:43 +0100

openssl (0.9.8g-3) unstable; urgency=low

  * aes-586.pl: push %ebx on the stack before we put some things on the
    stack and call a function, giving AES_decrypt() wrong values to work
    with.  (Closes: #449200)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 04 Nov 2007 21:49:00 +0100

openssl (0.9.8g-2) unstable; urgency=low

  * Avoid text relocations on i386 caused by the assembler versions:
    - x86unix.pl: Create a function_begin_B_static to create a
      static/local assembler function.
    - aes-586.pl: Use the function_begin_B_static for _x86_AES_decrypt
      so that it doesn't get exported and doesn't have any (text) relocations.
    - aes-586.pl: Set up ebx to point to the GOT and call AES_set_encrypt_key
      via the PLT to avoid a relocation.
    - x86unix.pl: Call the init function via the PLT, avoiding a relocation
      in case of a PIC object.
    - cbc.pl: Call functions via the PLT.
    - desboth.pl: Call DES_encrypt2 via the PLT.
  * CA.sh should use the v3_ca extension when called with -newca
    (Closes: #428051)
  * Use -Wa,--noexecstack for all arches in Debian.  (Closes: #430583)
  * Convert the failure message when services fail restart to a debconf
    message.
  * To restart a service, just restart, instead of stop and start.
    Hopefully fixes #444946
  * Also remove igetest from the test dir in the clean target.
    (Closes: #424362)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 03 Nov 2007 13:25:45 +0100

openssl (0.9.8g-1) unstable; urgency=low

  * New upstream release
    - Fixes version number not to say it's a development version.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 20 Oct 2007 12:47:10 +0200

openssl (0.9.8f-1) unstable; urgency=low

  * New upstream release
    - Fixes DTLS issues, also fixes CVE-2007-4995 (Closes: #335703, #439737)
    - Proper inclusion of opensslconf.h in pq_compat.h (Closes: #408686)
    - New function SSL_set_SSL_CTX: bump shlibs.
  * Remove build dependency on gcc > 4.2
  * Remove the openssl preinst, it looks like a workaround
    for a change in 0.9.2b where config files got moved.  (Closes: #445095)
  * Update debconf translations:
    - Vietnamese (Closes: #426988)
    - Danish (Closes: #426774)
    - Slovak (Closes: #440723)
    - Finnish (Closes: #444258)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 13 Oct 2007 00:47:22 +0200

openssl (0.9.8e-9) unstable; urgency=high

  * CVE-2007-5135: Fix off by one error in SSL_get_shared_ciphers().
    (Closes: #444435)
  * Add postgresql-8.2 to the list of services to check.

 -- Kurt Roeckx <kurt@roeckx.be>  Fri, 28 Sep 2007 19:47:33 +0200

openssl (0.9.8e-8) unstable; urgency=low

  * Fix another case of the "if this code is reached, the program will abort"
    (Closes: #429740)
  * Temporary force to build with gcc >= 4.2

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 02 Sep 2007 18:12:11 +0200

openssl (0.9.8e-7) unstable; urgency=low

  * Fix problems with gcc-4.2 (Closes: #429740)
  * Stop using -Bsymbolic to create the shared library.
  * Make x86_64cpuid.pl use PIC.

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 02 Sep 2007 16:15:18 +0200

openssl (0.9.8e-6) unstable; urgency=high

  * Add fix for CVE-2007-3108 (Closes: #438142)

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 15 Aug 2007 19:49:54 +0200

openssl (0.9.8e-5) unstable; urgency=low

  [ Christian Perrier ]
  * Debconf templates proofread and slightly rewritten by
    the debian-l10n-english team as part of the Smith Review Project.
    Closes: #418584
  * Debconf templates translations:
    - Arabic. Closes: #418669
    - Russian. Closes: #418670
    - Galician. Closes: #418671
    - Swedish. Closes: #418679
    - Korean. Closes: #418755
    - Czech. Closes: #418768
    - Basque. Closes: #418784
    - German. Closes: #418785
    - Traditional Chinese. Closes: #419915
    - Brazilian Portuguese. Closes: #419959
    - French. Closes: #420429
    - Italian. Closes: #420461
    - Japanese. Closes: #420482
    - Catalan. Closes: #420833
    - Dutch. Closes: #420925
    - Malayalam. Closes: #420986
    - Portuguese. Closes: #421032
    - Romanian. Closes: #421708

  [ Kurt Roeckx ]
  * Remove the Provides for the udeb. Patch from Frans Pop. (Closes: #419608)
  * Updated Spanish debconf template.  (Closes: #421336)
  * Do the header changes, changing those defines into real functions,
    and bump the shlibs to match.
  * Update Japanese debconf translation.  (Closes: #422270)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 15 May 2007 17:21:08 +0000

openssl (0.9.8e-4) unstable; urgency=low

  * openssl should depend on libssl0.9.8 0.9.8e-1 since it
    uses some of the defines that changed to functions.
    Other things build against libssl or libcrypto shouldn't
    have this problem since they use the old headers.
    (Closes: #414283)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 10 Mar 2007 17:11:46 +0000

openssl (0.9.8e-3) unstable; urgency=low

  * Add nagios-nrpe-server to the list of services to be checked
    (Closes: #391188)
  * EVP_CIPHER_CTX_key_length() should return the set key length in the
    EVP_CIPHER_CTX structure which may not be the same as the underlying
    cipher key length for variable length ciphers.
    From upstream CVS.  (Closes: #412979)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun,  4 Mar 2007 23:22:51 +0000

openssl (0.9.8e-2) unstable; urgency=low

  * Undo include changes that change defines into real functions,
    but keep the new functions in the library.

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 25 Feb 2007 19:19:19 +0000

openssl (0.9.8e-1) unstable; urgency=low

  * New upstream release
    - Inludes security fixes for CVE-2006-2937, CVE-2006-2940,
      CVE-2006-3738, CVE-2006-4343 (Closes: #408902)
    - s_client now properly works with SMTP.  Also added support
      for IMAP.  (closes: #221689)
    - Load padlock modules (Closes: #345656, #368476)
  * Add clamav-freshclam and clamav-daemon to the list of service that
    need to be restarted.  (Closes: #391191)
  * Add armel support.  Thanks to Guillem Jover <guillem.jover@nokia.com>
    for the patch.  (Closes: #407196)
  * Add Portuguese translations.  Thanks to Carlos Lisboa.  (Closes: 408157)
  * Add Norwegian translations.  Thanks to Bjørn Steensrud
    <bjornst@powertech.no> (Closes: #412326)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 25 Feb 2007 18:06:28 +0000

openssl (0.9.8c-4) unstable; urgency=low

  * Add German debconf translation.  Thanks to
    Johannes Starosta <feedback-an-johannes@arcor.de> (Closes: #388108)
  * Make c_rehash look for both .pem and .crt files.  Also make it support
    files in DER format.  Patch by "Yauheni Kaliuta" <y.kaliuta@gmail.com>
    (Closes: #387089)
  * Use & instead of && to check a flag in the X509 policy checking.
    Patch from upstream cvs.  (Closes: #397151)
  * Also restart slapd for security updates (Closes: #400221)
  * Add Romanian debconf translation.  Thanks to
    stan ioan-eugen <stan.ieugen@gmail.com> (Closes: #393507)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 30 Nov 2006 20:57:46 +0000

openssl (0.9.8c-3) unstable; urgency=low

  * Fix patch for CVE-2006-2940, it left ctx unintiliased.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon,  2 Oct 2006 18:05:00 +0200

openssl (0.9.8c-2) unstable; urgency=high

  * Fix security vulnerabilities (CVE-2006-2937, CVE-2006-2940,
    CVE-2006-3738, CVE-2006-4343).  Urgency set to high.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 27 Sep 2006 21:24:55 +0000

openssl (0.9.8c-1) unstable; urgency=low

  * New upstream release
    - block padding bug with compression now fixed upstream, using
      their patch.
    - Includes the RSA Signature Forgery (CVE-2006-4339) patch.
    - New functions AES_bi_ige_encrypt and AES_ige_encrypt:
      bumping shlibs to require 0.9.8c-1.
  * Change the postinst script to check that ntp is installed instead
    of ntp-refclock and ntp-simple.  The binary is now in the ntp
    package.
  * Move the modified rand/md_rand.c file to the right place,
    really fixing #363516.
  * Add partimage-server conserver-server and tor to the list of service
    to check for restart.  Add workaround for openssh-server so it finds
    the init script.  (Closes: #386365, #386400, #386513)
  * Add manpage for c_rehash.
    Thanks to James Westby <jw+debian@jameswestby.net> (Closes: #215618)
  * Add Lithuanian debconf translation.
    Thanks to Gintautas Miliauskas <gintas@akl.lt>  (Closes: #374364)
  * Add m32r support.
    Thanks to Kazuhiro Inaoka <inaoka.kazuhiro@renesas.com>
    (Closes: #378689)

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 17 Sep 2006 14:47:59 +0000

openssl (0.9.8b-3) unstable; urgency=high

  * Fix RSA Signature Forgery (CVE-2006-4339) using patch provided
    by upstream.
  * Restart services using a smaller version that 0.9.8b-3, so
    they get the fixed version.
  * Change the postinst to check for postfix instead of postfix-tls.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue,  5 Sep 2006 18:26:10 +0000

openssl (0.9.8b-2) unstable; urgency=low

  * Don't call gcc with -mcpu on i386, we already use -march, so no need for
    -mtune either.
  * Always make all directories when building something:
    - The engines directory didn't get build for the static directory, so
      where missing in libcrypo.a
    - The apps directory didn't always get build, so we didn't have an openssl
      and a small part of the regression tests failed.
  * Make the package fail to build if the regression tests fail.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 15 May 2006 16:00:58 +0000

openssl (0.9.8b-1) unstable; urgency=low

  * New upstream release
    - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs.
    - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE
      instead of FALSE.
    - CA.pl/CA.sh creates crlnumber now.  (Closes: #347612)
  * Run debconf-updatepo, which really already was in the 0.9.8a-8 version
    as it was uploaded.
  * Add Galician debconf translation.  Patch from
    Jacobo Tarrio <jtarrio@trasno.net>  (Closes: #361266)
  * libssl0.9.8.postinst makes uses of bashisms (local variables)
    so use #!/bin/bash
  * libssl0.9.8.postinst: Call set -e after sourcing the debconf
    script.
  * libssl0.9.8.postinst: Change list of service that may need
    to be restarted:
    - Replace ssh by openssh-server
    - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1
    - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour
      fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql
  * libssl0.9.8.postinst: The check to see if something was installed
    wasn't working.
  * libssl0.9.8.postinst: Add workaround to find the name of the init
    script for proftpd and dovecot.
  * libssl0.9.8.postinst: Use invoke-rc.d when it's available.
  * Change Standards-Version to 3.7.0:
    - Make use of invoke-rc.d
  * Add comment to README.Debian that rc5, mdc2 and idea have been
    disabled (since 0.9.6b-3)  (Closes: #362754)
  * Don't add uninitialised data to the random number generator.  This stop
    valgrind from giving error messages in unrelated code.
    (Closes: #363516)
  * Put the FAQ in the openssl docs.
  * Add russian debconf translations from Yuriy Talakan <yt@amur.elektra.ru>
    (Closes #367216)

 -- Kurt Roeckx <kurt@roeckx.be>  Thu,  4 May 2006 20:40:03 +0200

openssl (0.9.8a-8) unstable; urgency=low

  * Call pod2man with the proper section.  Section changed
    from 1/3/5/7 to 1SSL/3SSL/5SSL/7SSL.  The name of the files
    already had the ssl in, the section didn't.  The references
    to other manpage is still wrong.
  * Don't install the LICENSE file, it's already in the copyright file.
  * Don't set an rpath on openssl to point to /usr/lib.
  * Add support for kfreebsd-amd64. (Closes: #355277)
  * Add udeb to the shlibs.  Patch from Frans Pop <aragorn@tiscali.nl>
    (Closes: #356908)

 -- Kurt Roeckx <kurt@roeckx.be>  Sat, 11 Feb 2006 14:14:37 +0100

openssl (0.9.8a-7) unstable; urgency=high

  * Add italian debconf templates.  Thanks to Luca Monducci.
    (Closes: #350249)
  * Change the debconf question to use version 0.9.8-3
    instead of 0.9.8-1, since that's the last version
    with a security fix.
  * Call conn_state() if the BIO is not in the BIO_CONN_S_OK state
    (Closes: #352047).  RC bug affecting testing, so urgency high.

 -- Kurt Roeckx <kurt@roeckx.be>  Sat,  9 Feb 2006 19:07:56 +0100

openssl (0.9.8a-6) unstable; urgency=low

  * Remove empty postinst/preinst/prerm scripts.  There is no need
    to have empty ones, debhelper will add them when needed.
  * Remove the static pic libraries.  Nobody should be linking
    it's shared libraries static to libssl or libcrypto.
    This was added for opensc who now links to it shared.
  * Do not assume that in case the sequence number is 0 and the
    packet has an odd number of bytes that the other side has
    the block padding bug, but try to check that it actually
    has the bug.  The wrong detection of this bug resulted
    in an "decryption failed or bad record mac" error in case
    both sides were using zlib compression.  (Closes: #338006)

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 21 Jan 2006 16:25:41 +0100

openssl (0.9.8a-5) unstable; urgency=low

  * Stop ssh from crashing randomly on sparc (Closes: #335912)
    Patch from upstream cvs.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 13 Dec 2005 21:37:42 +0100

openssl (0.9.8a-4) unstable; urgency=low

  * Call dh_makeshlibs with the proper version instead of putting
    it in shlibs.local, which doesn't seem to do anything.  0.9.8a-1
    added symbol versioning, so it should have bumped the shlibs.
    (Closes: #338284)
  * The openssl package had a duplicate dependency on libssl0.9.8,
    only require the version as required by the shlibs.
  * Make libssl-dev depend on zlib1g-dev, since it's now required for
    static linking. (Closes: #338313)
  * Generate .pc files that make use of Libs.private, so things only
    link to the libraries they should when linking shared.
  * Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486)
  * Make powerpc and ppc64 use the assembler version for bn.  ppc64
    had the location in the string wrong, powerpc had it missing.
  * Add includes for stddef to get size_t in md2.h, md4.h, md5.h,
    ripemd.h and sha.h.  (Closes: #333101)
  * Run make test for each of the versions we build, make it
    not fail the build process if an error is found.
  * Add build dependency on bc for the regression tests.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 13 Nov 2005 16:01:05 +0100

openssl (0.9.8a-3) unstable; urgency=high

  * Link to libz instead of dynamicly loading it.  It gets loaded
    at the moment the library is initialised, so there is no point
    in not linking to it.  It's now failing in some cases since
    it's not opened by it's soname, but by the symlink to it.
    This should hopefully solve most of the bugs people have reported
    since the move to libssl0.9.8.
    (Closes: #334180, #336140, #335271)
  * Urgency set to high because it fixes a grave bug affecting testing.

 -- Kurt Roeckx <kurt@roeckx.be>  Tue,  1 Nov 2005 14:56:40 +0100

openssl (0.9.8a-2) unstable; urgency=low

  * Add Build-Dependency on m4, since sparc needs it to generate
    it's assembler files.  (Closes: #334542)
  * Don't use rc4-x86_64.o on amd64 for now, it seems to be broken
    and causes a segfault.  (Closes: #334501, #334502)

 -- Kurt Roeckx <kurt@roeckx.be>  Tue, 18 Oct 2005 19:05:53 +0200

openssl (0.9.8a-1) unstable; urgency=low

  Christoph Martin:
  * fix asm entries for some architectures, fixing #332758 properly.
  * add noexecstack option to i386 subarch
  * include symbol versioning in Configure (closes: #330867)
  * include debian-armeb arch (closes: #333579)
  * include new upstream patches; includes some minor fixes
  * fix dh_shlibdeps line, removing the redundant dependency on
    libssl0.9.8 (closes: #332755)
  * add swedish debconf template (closes: #330554)

  Kurt Roeckx:
  * Also add noexecstack option for amd64, since it now has an
    executable stack with the assembler fixes for amd64.

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 17 Oct 2005 17:01:06 +0200

openssl (0.9.8-3) unstable; urgency=low

  * Apply security fix for CAN-2005-2969. (Closes: #333500)
  * Change priority of -dbg package to extra.

 -- Kurt Roeckx <kurt@roeckx.be>  Wed, 12 Oct 2005 22:38:58 +0200

openssl (0.9.8-2) unstable; urgency=low

  * Don't use arch specific assembler.  Should fix build failure on
    ia64, sparc and amd64. (Closes: #332758)
  * Add myself to the uploaders.

 -- Kurt Roeckx <kurt@roeckx.be>  Mon, 10 Oct 2005 19:22:36 +0200

openssl (0.9.8-1) unstable; urgency=low

  * New upstream release (closes: #311826)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 29 Sep 2005 14:20:04 +0200

openssl (0.9.7g-3) unstable; urgency=low

  * change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386
    (closes: #327692)
  * include -dbg version. That implies compiling with -g and without
    -fomit-frame-pointer (closes: #293823, #153811)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 23 Sep 2005 13:51:57 +0200

openssl (0.9.7g-2) unstable; urgency=low

  * really include nl translation
  * remove special ia64 code from rc4 code to make the abi compatible to
    older 0.9.7 versions (closes: #310489, #309274)
  * fix compile flag for debian-ppc64 (closes: #318750)
  * small fix in libssl0.9.7.postinst (closes: #239956)
  * fix pk7_mime.c to prevent garbled messages because of to early memory
    free (closes: #310184)
  * include vietnamese debconf translation (closes: #316689)
  * make optimized i386 libraries have non executable stack (closes:
    #321721)
  * remove leftover files from ssleay
  * move from dh_installmanpages to dh_installman
  * change Maintainer to pkg-openssl-devel@lists.alioth.debian.org

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  7 Sep 2005 15:32:54 +0200

openssl (0.9.7g-1) unstable; urgency=low

  * New upstream release
    * Added support for proxy certificates according to RFC 3820.
      Because they may be a security thread to unaware applications,
      they must be explicitely allowed in run-time.  See
      docs/HOWTO/proxy_certificates.txt for further information.
    * Prompt for pass phrases when appropriate for PKCS12 input format.
    * Back-port of selected performance improvements from development
      branch, as well as improved support for PowerPC platforms.
    * Add lots of checks for memory allocation failure, error codes to indicate
      failure and freeing up memory if a failure occurs.
    * Perform some character comparisons of different types in X509_NAME_cmp:
      this is needed for some certificates that reencode DNs into UTF8Strings
      (in violation of RFC3280) and can't or wont issue name rollover
      certificates.
  * corrected watchfile
  * added upstream source url (closes: #292904)
  * fix typo in CA.pl.1 (closes: #290271)
  * change debian-powerpc64 to debian-ppc64 and adapt the configure
    options to be the same like upstream (closes: #289841)
  * include -signcert option in CA.pl usage
  * compile with zlib-dynamic to use system zlib (closes: #289872)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  9 May 2005 23:32:03 +0200

openssl (0.9.7e-3) unstable; urgency=high

  * really fix der_chop. The fix from -1 was not really included (closes:
    #281212)
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
      environment.

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 16 Dec 2004 18:41:29 +0100

openssl (0.9.7e-2) unstable; urgency=high

  * fix perl path in der_chop and c_rehash (closes: #281212)
  * still fixes security problem CAN-2004-0975 etc.
    - tempfile raise condition in der_chop
    - Avoid a race condition when CRLs are checked in a multi threaded
      environment.

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 14 Nov 2004 20:16:21 +0100

openssl (0.9.7e-1) unstable; urgency=high

  * SECURITY UPDATE: fix insecure temporary file handling
  * apps/der_chop:
    - replaced $$-style creation of temporary files with
      File::Temp::tempfile()
    - removed unused temporary file name in do_certificate()
  * References:
    CAN-2004-0975 (closes: #278260)
  * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357)
  * New upstream release with security fixes
    - Avoid a race condition when CRLs are checked in a multi threaded
      environment.
    - Various fixes to s3_pkt.c so alerts are sent properly.
    - Reduce the chances of duplicate issuer name and serial numbers (in
      violation of RFC3280) using the OpenSSL certificate creation
      utilities.
  * depends openssl on perl-base instead of perl (closes: #280225)
  * support powerpc64 in Configure (closes: #275224)
  * include cs translation (closes: #273517)
  * include nl translation (closes: #272479)
  * Fix default dir of c_rehash (closes: #253126)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 12 Nov 2004 14:11:15 +0100

openssl (0.9.7d-5) unstable; urgency=low

  * Make S/MIME encrypt work again (backport from CVS) (closes: #241407,
    #241386)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 26 Jul 2004 17:22:42 +0200

openssl (0.9.7d-4) unstable; urgency=low

  * add Catalan translation (closes: #248749)
  * add Spanish translation (closes: #254561)
  * include NMU fixes: see below
  * decrease optimisation level for debian-arm to work around gcc bug
    (closes: #253848) (thanks to Steve Langasek and Thom May)
  * Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank)
  * Add watchfile

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 14 Jul 2004 14:31:02 +0200

openssl (0.9.7d-3) unstable; urgency=low

  * rename -pic.a libraries to _pic.a (closes: #250016)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 24 May 2004 17:02:29 +0200

openssl (0.9.7d-2) unstable; urgency=low

  * include PIC libs (libcrypto-pic.a and libssl-pic.a) to libssl-dev
    (closes: #246928, #243999)
  * add racoon to restart list (closes: #242652)
  * add Brazilian, Japanese and Danish translations (closes: #242087,
    #241830, #241705)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 11 May 2004 10:13:49 +0200

openssl (0.9.7d-1) unstable; urgency=high

  * new upstream
  * fixes security holes (http://www.openssl.org/news/secadv_20040317.txt)
    (closes: #238661)
  * includes support for debian-amd64 (closes: #235551, #232310)
  * fix typo in pem.pod (closes: #219873)
  * fix typo in libssl0.9.7.templates (closes: #224690)
  * openssl suggests ca-certificates (closes: #217180)
  * change debconf template to gettext format (closes: #219013)
  * include french debconf template (closes: #219014)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 18 Mar 2004 16:18:43 +0100

openssl (0.9.7c-5) unstable; urgency=low

  * include openssl.pc into libssl-dev (closes: #212545)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 16 Oct 2003 16:31:32 +0200

openssl (0.9.7c-4) unstable; urgency=low

  * change question to restart services to debconf (closes: #214840)
  * stop using dh_undocumented (closes: #214831)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 10 Oct 2003 15:40:48 +0200

openssl (0.9.7c-3) unstable; urgency=low

  * fix POSIX conformance for head in libssl0.9.7.postinst (closes:
    #214700)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  8 Oct 2003 14:02:38 +0200

openssl (0.9.7c-2) unstable; urgency=low

  * add filerc macro to libssl0.9.7.postinst (closes: #213906)
  * restart spamassassins spamd on upgrade (closes: #214106)
  * restart more services on upgrade
  * fix EVP_BytesToKey manpage (closes: #213715)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue,  7 Oct 2003 15:01:32 +0200

openssl (0.9.7c-1) unstable; urgency=high

  * upstream security fix (closes: #213451)
   - Fix various bugs revealed by running the NISCC test suite:
     Stop out of bounds reads in the ASN1 code when presented with
     invalid tags (CAN-2003-0543 and CAN-2003-0544).
     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
     If verify callback ignores invalid public key errors don't try to check
     certificate signature with the NULL public key.
   - In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
     if the server requested one: as stated in TLS 1.0 and SSL 3.0
     specifications.
  * more minor upstream bugfixes
  * fix formatting in c_issuer (closes: #190026)
  * fix Debian-FreeBSD support (closes: #200381)
  * restart some services in postinst to make them use the new libraries
  * remove duplicated openssl.1, crypto.3 and ssl.3 (closes: #198594)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  1 Oct 2003 08:54:27 +0200

openssl (0.9.7b-2) unstable; urgency=high

  * fix permission of /etc/ssl/private to 700 again
  * change section of libssl-dev to libdevel

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 23 Apr 2003 11:13:24 +0200

openssl (0.9.7b-1) unstable; urgency=high

  * upstream security fix
   - Countermeasure against the Klima-Pokorny-Rosa extension of
     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
     a protocol version number mismatch like a decryption error
     in ssl3_get_client_key_exchange (ssl/s3_srvr.c). (CAN-2003-0131)
    (closes: #189087)
   - Turn on RSA blinding by default in the default implementation
     to avoid a timing attack. Applications that don't want it can call
     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
     They would be ill-advised to do so in most cases. (CAN-2003-0147)
   - Change RSA blinding code so that it works when the PRNG is not
     seeded (in this case, the secret RSA exponent is abused as
     an unpredictable seed -- if it is not unpredictable, there
     is no point in blinding anyway).  Make RSA blinding thread-safe
     by remembering the creator's thread ID in rsa->blinding and
     having all other threads use local one-time blinding factors
     (this requires more computation than sharing rsa->blinding, but
     avoids excessive locking; and if an RSA object is not shared
     between threads, blinding will still be very fast).
    for more details see the CHANGES file

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 16 Apr 2003 10:32:57 +0200

openssl (0.9.7a-1) unstable; urgency=high

  * upstream Security fix
    - In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
      between bad padding and a MAC verification error. (CAN-2003-0078)
    for more details see the CHANGES file

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 21 Feb 2003 22:39:40 +0100

openssl (0.9.7-4) unstable; urgency=low

  * use DH_COMPAT=3 to build
  * move i686 to i686/cmov to fix problems on Via C3. For that to work we
    have to depend on the newest libc6 on i386 (closes: #177891)
  * fix bug in ui_util.c (closes: #177615)
  * fix typo in md5.h (closes: #178112)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 24 Jan 2003 10:22:56 +0100

openssl (0.9.7-3) unstable; urgency=low

  * enable build of ultrasparc code on non ultrasparc machines (closes:
    #177024)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 17 Jan 2003 08:22:13 +0100

openssl (0.9.7-2) unstable; urgency=low

  * include changes between 0.9.6g-9 and -10
    * fix problem in build-process on i386 with libc6 version number

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 13 Jan 2003 14:26:56 +0100

openssl (0.9.7-1) unstable; urgency=low

  * new upstream
    * includes engine support
    * a lot of bugfixes and enhancements, see the CHANGES file
    * include AES encryption
    * makes preview of certificate configurable (closes: #176059)
    * fix x509 manpage (closes: #168070)
    * fix declaration of ERR_load_PEM_string in pem.h (closes: #141360)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 11 Jan 2003 09:12:16 +0100

openssl (0.9.6g-10) unstable; urgency=low

  * fix problem in build-process on i386 with libc6 version number
    (closes: #167096)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  4 Nov 2002 12:27:21 +0100

openssl (0.9.6g-9) unstable; urgency=low

  * fix typo in i386 libc6 depend (sigh) (closes: #163848)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue,  8 Oct 2002 23:29:20 +0200

openssl (0.9.6g-8) unstable; urgency=low

  * fix libc6 depends. Only needed for i386 (closes: #163701)
  * remove SHLIB section for bsds from Configure (closes: #163585)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue,  8 Oct 2002 10:57:35 +0200

openssl (0.9.6g-7) unstable; urgency=low

  * enable i686 optimisation and depend on fixed glibc (closes: #163500)
  * remove transition package ssleay
  * include optimisation vor sparcv8 (closes: #139996)
  * improve optimisation vor sparcv9

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun,  6 Oct 2002 14:07:12 +0200

openssl (0.9.6g-6) unstable; urgency=low

  * temporarily disable i686 optimisation (See bug in glibc #161788)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 21 Sep 2002 18:56:49 +0200

openssl (0.9.6g-5) unstable; urgency=low

  * i486 can use i586 assembler
  * include set -xe in the for loops in the rules files to make it abort
    on error (closes: #161768)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 21 Sep 2002 16:23:11 +0200

openssl (0.9.6g-4) unstable; urgency=low

  * fix optimization for alpha and sparc
  * add optimization for i486

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 20 Sep 2002 22:36:19 +0200

openssl (0.9.6g-3) unstable; urgency=low

  * add optimized libraries for i586, i686, ev4, ev5 and v9 (closes: #139783)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 19 Sep 2002 18:33:04 +0200

openssl (0.9.6g-2) unstable; urgency=low

  * fix manpage names (closes: #156717, #156718, #156719, #156721)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 15 Aug 2002 11:26:37 +0200

openssl (0.9.6g-1) unstable; urgency=low

  * new upstream version
  * Use proper error handling instead of 'assertions' in buffer
    overflow checks added in 0.9.6e.  This prevents DoS (the
    assertions could call abort()). (closes: #155985, #156495)
  * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
    and get fix the header length calculation.
  * include support for new sh* architectures (closes: #155117)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 14 Aug 2002 13:59:22 +0200

openssl (0.9.6e-1) unstable; urgency=high

  * fixes remote exploits (see DSA-136-1)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 30 Jul 2002 18:32:28 +0200

openssl (0.9.6d-1) unstable; urgency=low

  * new upstream (minor) version
  * includes Configure lines for debian-*bsd-* (closes: #130413)
  * fix wrong prototype for BN_pseudo_rand_range in BN_rand(3ssl) (closes:
    #144586)
  * fix typos in package description (closes: #141469)
  * fix typo in SSL_CTX_set_cert_store manpage (closes: #135297)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  3 Jun 2002 19:42:10 +0200

openssl (0.9.6c-2) unstable; urgency=low

  * moved from non-US to main

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 19 Mar 2002 14:48:39 +0100

openssl (0.9.6c-1) unstable; urgency=low

  * new upstream version with a lot of bugfixes
  * remove directory /usr/include/openssl from openssl package (closes:
    bug #121226)
  * remove selfdepends from libssl0.9.6
  * link openssl binary shared again

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat,  5 Jan 2002 19:04:31 +0100

openssl (0.9.6b-4) unstable; urgency=low

  * build with -D_REENTRANT for threads support on all architectures
    (closes: #112329, #119239)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 24 Nov 2001 12:17:51 +0100

openssl (0.9.6b-3) unstable; urgency=low

  * disable idea, mdc2 and rc5 because they are not free (closes: #65368)
  * ready to be moved from nonus to main

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 21 Nov 2001 17:51:41 +0100

openssl (0.9.6b-2) unstable; urgency=high

  * fix definition of crypt in des.h (closes: #107533)
  * fix descriptions (closes: #109503)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 17 Sep 2001 15:38:27 +0200

openssl (0.9.6b-1) unstable; urgency=medium

  * new upstream fixes some security issues (closes: #105835, #100146)
  * added support for s390 (closes: #105681)
  * added support for sh (closes: #100003)
  * change priority of libssl096 to standard as ssh depends on it (closes:
    #105440)
  * don't optimize for i486 to support i386. (closes: #104127, #82194)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri, 20 Jul 2001 15:52:42 +0200

openssl (0.9.6a-3) unstable; urgency=medium

  * add perl-base to builddeps
  * include static libraries in libssl-dev (closes: #93688)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 14 May 2001 20:16:06 +0200

openssl (0.9.6a-2) unstable; urgency=medium

  * change Architecture of ssleay from any to all (closes: #92913)
  * depend libssl-dev on the exact same version of libssl0.9.6 (closes:
    #88939)
  * remove lib{crypto,ssl}.a from openssl (closes: #93666)
  * rebuild with newer gcc to fix atexit problem (closes: #94036)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  2 May 2001 12:28:39 +0200

openssl (0.9.6a-1) unstable; urgency=medium

  * new upstream, fixes some security bugs (closes: #90584)
  * fix typo in s_server manpage (closes: #89756)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 10 Apr 2001 12:13:11 +0200

openssl (0.9.6-2) unstable; urgency=low

  * policy: reorganisation of package names: libssl096 -> libssl0.9.6,
    libssl096-dev -> libssl-dev (closes: #83426)
  * libssl0.9.6 drops replaces libssl09 (Closes: #83425)
  * install upstream CHANGES files (Closes: #83430)
  * added support for hppa and ia64 (Closes: #88790)
  * move man3 manpages to libssl-dev (Closes: #87546)
  * fix formating problem in rand_add(1) (Closes: #87547)
  * remove manpage duplicates (Closes: #87545, #74986)
  * make package descriptions clearer (Closes: #83518, #83444)
  * increase default emailAddress_max from 40 to 60 (Closes: #67238)
  * removed RSAREF warning (Closes: #84122)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu,  8 Mar 2001 14:24:00 +0100

openssl (0.9.6-1) unstable; urgency=low

  * New upstream version (Thanks to Enrique Zanardi <ezanard@debian.org>)
    (closes: #72388)
  * Add support for debian-hurd (closes: #76032)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 13 Nov 2000 22:30:46 +0100

openssl (0.9.5a-5) unstable; urgency=low

  * move manpages in standard directories with section ssl (closes:
    #72152, #69809)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu,  5 Oct 2000 19:56:20 +0200

openssl (0.9.5a-4) unstable; urgency=low

  * include edg_rand_bytes patch from and for apache-ssl

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 23 Sep 2000 16:48:06 +0200

openssl (0.9.5a-3) unstable; urgency=low

  * fix call to dh_makeshlibs to create correct shlibs file and make
    dependend programs link correctly (closes: Bug#61658)
  * include a note in README.debian concerning the location of the
    subcommand manpages (closes: Bug#69809)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 16 Sep 2000 19:10:50 +0200

openssl (0.9.5a-2) unstable; urgency=low

  * try to fix the sharedlib problem. change soname of library
  (closes: Bug#4622, #66102, #66538, #66123)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 12 Jul 2000 03:26:30 +0200

openssl (0.9.5a-1) unstable; urgency=low

  * new upstream version (major changes see file NEWS) (closes: Bug#63976,
    #65239, #65358)
  * new library package libssl095a because of probably changed library
    interface (closes: Bug#46222)
  * added architecture mips and mipsel (closes: Bug#62437, #60366)
  * provide shlibs.local file in build to help build if libraries are not
    yet installed (closes: Bug#63984)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 11 Jun 2000 15:17:35 +0200

openssl (0.9.4-5) frozen unstable; urgency=medium

  * cleanup of move of doc directories to /usr/share/doc (closes:
    Bug#56430)
  * lintian issues (closes: Bug#49358)
  * move demos from openssl to libssl09-dev (closes: Bug#59201)
  * move to debhelpers

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 11 Mar 2000 10:38:04 +0100

openssl (0.9.4-4) unstable; urgency=medium

  * Added 'debian-arm' in 'Configure'. (closes: Bug#54251, #54766)
  * Fixed Configure for 'debian-m68k' (closes: Bug#53636)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 15 Jan 2000 13:16:18 +0100

openssl (0.9.4-3) unstable; urgency=low

  * define symbol SSLeay_add_ssl_algorithms for backward compatibility
    (closes: Bug#46882)
  * remove manpages from /usr/doc/openssl (closes: Bug#46791)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 14 Oct 1999 16:51:08 +0200

openssl (0.9.4-2) unstable; urgency=low

  * include some more docu in pod format (Bug #43933)
  * removed -mv8 from sparc flags (Bug #44769)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 14 Sep 1999 22:04:06 +0200

openssl (0.9.4-1) unstable; urgency=low

  * new upstream version (Closes: #42926)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sat, 28 Aug 1999 17:04:23 +0200

openssl (0.9.3a-1) unstable; urgency=low

  * new upstream version (Bug #38345, #38627)
  * sparc is big-endian (Bug #39973)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  7 Jul 1999 16:03:37 +0200

openssl (0.9.2b-3) unstable; urgency=low

  * correct move conffiles to /etc/ssl (Bug #38570)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 31 May 1999 21:08:07 +0200

openssl (0.9.2b-2) unstable; urgency=low

  * added convenience package ssleay to help upgrade to openssl (Bug
    #37185, #37623, #36326)
  * added some missing dependencies from libssl09 (Bug #36681, #35867,
    #36326)
  * move lib*.so to libssl09-dev (Bug #36761)
  * corrected version numbers of library files
  * introduce link from /usr/lib/ssl to /etc/ssl (Bug #36710)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 23 May 1999 14:57:48 +0200

openssl (0.9.2b-1) unstable; urgency=medium

  * First openssl version

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 31 Mar 1999 15:54:26 +0200

ssleay (0.9.0b-2) unstable; urgency=low

  * Include message about the (not)usage of RSAREF (#24409)
  * Move configfiles from /usr/lib/ssl to /etc/ssl (#26406)
  * Change definitions for sparc (#26487)
  * Added missing dependency (#28591)
  * Make debian/libtool executable (#29708)
  * /etc/ssl/lib/ssleay.cnf is now a confile (#32624)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Sun, 21 Mar 1999 19:41:04 +0100

ssleay (0.9.0b-1) unstable; urgency=low

  * new upstream version (Bug #21227, #25971)
  * build shared libraries with -fPIC (Bug #20027)
  * support sparc architecture (Bug #28467)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 13 Oct 1998 10:20:13 +0200

ssleay (0.8.1-7) frozen unstable; urgency=high

  * security fix patch to 0.8.1b (bug #24022)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon,  6 Jul 1998 15:42:15 +0200

ssleay (0.8.1-6) frozen unstable; urgency=low

  * second try to fix bug #15235 (copyright was still missing)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Mon, 22 Jun 1998 08:56:27 +0200

ssleay (0.8.1-5) frozen unstable; urgency=high

  * changed /dev/random to /dev/urandom (Bug #23169, #17817)
  * copyright contains now the full licence (Bug #15235)
  * fixed bug #19410 (md5sums-lists-nonexisting-file)
  * added demos to /usr/doc (Bug #17372)
  * fixed type in package description (Bug #18969)
  * fixed bug in adding documentation (Bug #21463)
  * added patch for support of debian-powerpc (Bug #21579)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 18 Jun 1998 23:09:13 +0200

ssleay (0.8.1-4) unstable; urgency=low

  * purged dependency from libc5

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Tue, 11 Nov 1997 15:31:50 +0100

ssleay (0.8.1-3) unstable; urgency=low

  * changed packagename libssl to libssl08 to get better dependancies

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Fri,  7 Nov 1997 14:23:17 +0100

ssleay (0.8.1-2) unstable; urgency=low

  * linked shared libraries against libc6
  * use /dev/random for randomseed

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed,  5 Nov 1997 11:21:40 +0100

ssleay (0.8.1-1) unstable; urgency=low

  * new upstream version

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Thu, 16 Oct 1997 16:15:43 +0200

ssleay (0.6.6-2) unstable; urgency=low

  * cleanup in diffs
  * removed INSTALL from docs (bug #13205)
  * split libssl and libssl-dev (but #13735)

 -- Christoph Martin <christoph.martin@uni-mainz.de>  Wed, 15 Oct 1997 17:38:38 +0200

ssleay (0.6.6-1) unstable; urgency=low

  * New upstream version
  * added shared libraries for libcrypto and libssl

 -- Christoph Martin <martin@uni-mainz.de>  Thu, 26 Jun 1997 19:26:14 +0200

ssleay (0.6.4-2) unstable; urgency=low

  * changed doc filenames from .doc to .txt to be able to read them
    over with webbrowser

 -- Christoph Martin <martin@uni-mainz.de>  Tue, 25 Feb 1997 14:02:53 +0100

ssleay (0.6.4-1) unstable; urgency=low

  * Initial Release.

 -- Christoph Martin <martin@uni-mainz.de>  Fri, 22 Nov 1996 21:29:51 +0100