Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
I prepared an update for OpenSSL to synchronize it with upstream's
latest stable release (i). The i release is an OpenSSL stable release
within the 1.1.0 series with no additional features. It contains only
fixes which don't fix anything security related but still qualify as
something that should be fixed with a stable release.
The BTS bugs #903566 and #907457 are two examples which were raised
within Debian.
As part of my QA I rebuilt all openssl's and libssl1.1 reverse
dependencies [0]. Some packages (like nova) failed to build against this
and current (currently Stretch) openssl due its testsuite and it might
have something todo with by sbuild setup since it succeeded in the
"reproducible builds" build. However, openbsc also FTBFS in
"reproducible builds". Everything that FTBFS against that i also FTBFS
against the current openssl in my setup except for one package.
The package python-cryptography fails to build due to an API change of
BIO_callback_ctrl() in OpenSSL. While is a no-no in a stable release, it
has been explained [1] that the function / callback was always used with
a different prototype. I fixed this by removing the function / prototype
from the python wrapper while upstream removed the almost all BIO
related wrappers [2].
I would submit a pu bugs for python-cryptography if there is nothing
wrong with this one.
I am attaching a diff of the debian/ folder of the update (the openssl
part is replaced with the new version). The whole diff is 24MiB in size
and can be fetched from [4] compressed.
If the release team would like some additional tests, please let me
know.
[0] https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-1.1.0i/
[1] https://github.com/openssl/openssl/pull/4493#discussion_r143505277
[2] https://github.com/pyca/cryptography/pull/4220
[3]
https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-python-cryptography/
[4]
https://breakpoint.cc/openssl-rebuild/2018-09-02-rebuild-stretch-1.1.0i/ossl_1.1.0f-3deb9u2_to_1.1.0i.patch.xz
Sebastian
diff --git a/debian/changelog b/debian/changelog
index 3c231b9b2cf9a..886d06e39674d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+openssl (1.1.0i-1~deb9u1) stretch; urgency=medium
+
+ * Import 1.1.0i
+- Fix segfault ERR_clear_error (Closes: #903566)
+- Fix commandline option for CAengine (Closes: #907457)
+ * Abort the build if symbols are discovered which are not part of the
+symbols file.
+
+ -- Sebastian Andrzej Siewior Mon, 03 Sep 2018 23:59:02 +0200
+
openssl (1.1.0f-3+deb9u2) stretch-security; urgency=high
* CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols
index 9d70f3748ca03..84875cff36446 100644
--- a/debian/libssl1.1.symbols
+++ b/debian/libssl1.1.symbols
@@ -4,6 +4,9 @@ libcrypto.so.1.1 libssl1.1 #MINVER#
*@OPENSSL_1_1_0c 1.1.0c
*@OPENSSL_1_1_0d 1.1.0d
*@OPENSSL_1_1_0f 1.1.0f
+ *@OPENSSL_1_1_0g 1.1.0g
+ *@OPENSSL_1_1_0h 1.1.0h
+ *@OPENSSL_1_1_0i 1.1.0i
libssl.so.1.1 libssl1.1 #MINVER#
*@OPENSSL_1_1_0 1.1.0
*@OPENSSL_1_1_0d 1.1.0d
diff --git a/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch b/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
deleted file mode 100644
index 835b95d00696e..0
diff --git a/debian/patches/CVE-2017-3735.patch b/debian/patches/CVE-2017-3735.patch
deleted file mode 100644
index d152ddd387949..0
diff --git a/debian/patches/CVE-2017-3736.patch b/debian/patches/CVE-2017-3736.patch
deleted file mode 100644
index e60063fb65544..0
diff --git a/debian/patches/Fix-a-Proxy-race-condition.patch b/debian/patches/Fix-a-Proxy-race-condition.patch
deleted file mode 100644
index a2b72b8b79f66..0
diff --git a/debian/patches/Fix-race-condition-in-TLSProxy.patch b/debian/patches/Fix-race-condition-in-TLSProxy.patch
deleted file mode 100644
index 24b05c7e14139..0
diff --git a/debian/patches/Limit-ASN.1-constructed-types-recursive-definition-d.patch b/debian/patches/Limit-ASN.1-constructed-types-recursive-definition-d.patch
deleted file mode 100644
index 45e0feb25dc07..0
diff --git a/debian/patches/bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch b/debian/patches/bn-asm-rsaz-avx2.pl-fix-digit-correction-bug-in-rsaz.patch
deleted file mode 100644
index dbd3573187081..0
diff --git a/debian/patches/c_rehash-compat.patch b/debian/patches/c_rehash-compat.patch
index de24948e8dfac..199480af27e4d 100644
--- a/debian/patches/c_rehash-compat.patch
+++ b/debian/patches/c_rehash-compat.patch
@@ -1,15 +1,16 @@
-From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel
Date: Wed, 21 Apr 2010 15:52:10 +0200
Subject: [PATCH] also create old hash for compatibility
---
- tools/c_rehash.in |