The current debdiff we'd like to upload is: diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog --- openssl-1.0.1t/debian/changelog 2016-05-15 21:16:55.000000000 +0200 +++ openssl-1.0.1t/debian/changelog 2016-06-11 19:18:11.000000000 +0200 @@ -1,3 +1,14 @@ +openssl (1.0.1t-1+deb8u3) jessie; urgency=medium + + [ Kurt Roeckx ] + * Fix length check for CRLs. (Closes: #826552) + + [ Sebastian Andrzej Siewior ] + * Enable asm optimisation for s390x. Patch by Dimitri John Ledkov. + (Closes: #833156). + + -- Kurt Roeckx <k...@roeckx.be> Sat, 11 Jun 2016 19:18:11 +0200 + openssl (1.0.1t-1+deb8u2) jessie; urgency=medium * add Update-S-MIME-certificates.patch to update expired certificates to diff -Nru openssl-1.0.1t/debian/patches/debian-targets.patch openssl-1.0.1t/debian/patches/debian-targets.patch --- openssl-1.0.1t/debian/patches/debian-targets.patch 2016-05-01 23:53:42.000000000 +0200 +++ openssl-1.0.1t/debian/patches/debian-targets.patch 2016-06-11 19:18:11.000000000 +0200 @@ -56,7 +56,7 @@ +"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ppc64el","gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-s390","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff -Nru openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch --- openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1t/debian/patches/Fix-name-length-limit-check.patch 2016-06-11 19:16:05.000000000 +0200 @@ -0,0 +1,40 @@ +From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Wed, 4 May 2016 16:09:06 +0100 +Subject: [PATCH] Fix name length limit check. + +The name length limit check in x509_name_ex_d2i() includes +the containing structure as well as the actual X509_NAME. This will +cause large CRLs to be rejected. + +Fix by limiting the length passed to ASN1_item_ex_d2i() which will +then return an error if the passed X509_NAME exceeds the length. + +RT#4531 + +Reviewed-by: Rich Salz <rs...@openssl.org> +(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff) +--- + crypto/asn1/x_name.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c +index a858c29..26378fd 100644 +--- a/crypto/asn1/x_name.c ++++ b/crypto/asn1/x_name.c +@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, + int i, j, ret; + STACK_OF(X509_NAME_ENTRY) *entries; + X509_NAME_ENTRY *entry; +- if (len > X509_NAME_MAX) { +- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); +- return 0; +- } ++ if (len > X509_NAME_MAX) ++ len = X509_NAME_MAX; + q = p; + + /* Get internal representation of Name */ +-- +2.8.1 + diff -Nru openssl-1.0.1t/debian/patches/series openssl-1.0.1t/debian/patches/series --- openssl-1.0.1t/debian/patches/series 2016-05-15 21:16:55.000000000 +0200 +++ openssl-1.0.1t/debian/patches/series 2016-06-11 19:18:11.000000000 +0200 @@ -20,3 +20,4 @@ openssl_fix_for_x32.patch ppc64el.patch Update-S-MIME-certificates.patch +Fix-name-length-limit-check.patch