OpenSSL 0.9.8l released

   OpenSSL version 0.9.8l released
   ===============================

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 0.9.8l of our open source toolkit for SSL/TLS. This new
   OpenSSL version is a security release which disables renegotiation
   as a workaround for CVE-2009-3555.  For a complete list of changes,
   please see http://www.openssl.org/source/exp/CHANGES.

   We consider OpenSSL 0.9.8l to be the best version of OpenSSL
   available and we strongly recommend that users of older versions
   upgrade as soon as possible. OpenSSL 0.9.8l is available for
   download via HTTP and FTP from the following master locations (you
   can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

     * http://www.openssl.org/source/
     * ftp://ftp.openssl.org/source/

   The distribution file names are:

    o openssl-0.9.8l.tar.gz
      Size: 4179422
      MD5 checksum: 05a0ece1372392a2cf310ebb96333025
      SHA1 checksum: d3fb6ec89532ab40646b65af179bb1770f7ca28f

   The checksums were calculated using the following commands:

    openssl md5 openssl-0.9.*.tar.gz
    openssl sha1 openssl-0.9.*.tar.gz

   Yours,

   The OpenSSL Project Team...

    Mark J. Cox             Nils Larsch         Ulf Mller
    Ralf S. Engelschall     Ben Laurie          Andy Polyakov
    Dr. Stephen Henson      Richard Levitte     Geoff Thorpe
    Lutz Jnicke            Bodo Mller




--
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

On Thursday 05 November 2009 11:53:54 Ben Laurie wrote:
>    OpenSSL version 0.9.8l released

the tarball seems to contain files it shouldnt:
$ tar tf openssl-0.9.8l.tar.gz | egrep '(orig|rej|~)'
openssl-0.9.8l/CHANGES.~1.1238.2.145.~
openssl-0.9.8l/Configure.orig
openssl-0.9.8l/Configure.rej
openssl-0.9.8l/FAQ.~1.100.2.29.~
openssl-0.9.8l/NEWS.~1.57.2.18.~
openssl-0.9.8l/README.~1.52.2.37.~
openssl-0.9.8l/STATUS.~1.254.2.29.~
openssl-0.9.8l/apps/ca.c.~1.149.2.5.~
openssl-0.9.8l/crypto/opensslv.h.~1.44.2.44.~
openssl-0.9.8l/openssl.spec.~1.9.2.14.~
openssl-0.9.8l/ssl/d1_pkt.c.~1.4.2.13.~
openssl-0.9.8l/ssl/s3_lib.c.~1.74.2.23.~
openssl-0.9.8l/ssl/s3_pkt.c.~1.57.2.4.~
openssl-0.9.8l/ssl/s3_srvr.c.orig
openssl-0.9.8l/ssl/ssl.h.orig
openssl-0.9.8l/ssl/ssl3.h.~1.30.2.5.~
openssl-0.9.8l/ssl/ssl_err.c.orig
-mike

On 11/05/2009 12:19 PM, Mike Frysinger wrote:
Yup.  That's tripping us up too:

[philipp@builder ~/alix]$ make openssl
gunzip -c /home/philipp/alix/dl/openssl-0.9.8l.tar.gz | tar -C /home/philipp/alix/build_i586  -xf -
toolchain/patch-kernel.sh /home/philipp/alix/build_i586/openssl-0.9.8l package/openssl/ openssl\*.patch

Applying openssl-0.9.8i-tls-extensions.patch using plaintext:
patching file ssl/s3_clnt.c
patching file ssl/s3_srvr.c
Hunk #1 succeeded at 973 (offset 14 lines).
patching file ssl/ssl_err.c
patching file ssl/ssl.h
patching file ssl/ssl_sess.c
patching file ssl/t1_lib.c
patching file ssl/tls1.h
patching file util/ssleay.num

Applying openssl-fips.patch using plaintext:
patching file fips/Makefile
Hunk #2 succeeded at 103 (offset -2 lines).

Applying openssl-ocf.patch using plaintext:
patching file Configure
Hunk #1 succeeded at 36 (offset 2 lines).
Hunk #2 succeeded at 602 (offset 10 lines).
Hunk #3 succeeded at 744 (offset 23 lines).
Hunk #4 succeeded at 1027 (offset 90 lines).
Hunk #5 succeeded at 1085 (offset 7 lines).
patching file INSTALL
patching file apps/progs.h
patching file apps/speed.c
Hunk #19 succeeded at 2930 (offset 2 lines).
Hunk #21 succeeded at 2972 (offset 2 lines).
patching file crypto/engine/eng_all.c
patching file crypto/engine/eng_cryptodev.c
patching file crypto/engine/engine.h
patching file crypto/evp/c_all.c
patching file crypto/evp/c_alld.c
patching file engines/Makefile

Applying openssl-silentdeath.patch using plaintext:
patching file Makefile.shared
patching file Makefile

Applying openssl-uClibc.patch using plaintext:
patching file Configure
Hunk #1 succeeded at 549 (offset 9 lines).
patching file Makefile.org
Hunk #1 succeeded at 502 with fuzz 2 (offset 135 lines).
patching file Makefile.shared
patching file config
Hunk #3 succeeded at 488 (offset 6 lines).
patching file makefile-uclinuxdist
Aborting.  Reject files found.
make: *** [/home/philipp/alix/build_i586/openssl-0.9.8l/.unpacked] Error 1
[philipp@builder ~/alix]$


Can someone recut the tarball minus the cruft?

Thanks.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

On Friday 06 November 2009 16:09:01 Philip A. Prindeville wrote:
> Applying openssl-uClibc.patch using plaintext:
> patching file Configure
> Hunk #1 succeeded at 549 (offset 9 lines).
> patching file Makefile.org
> Hunk #1 succeeded at 502 with fuzz 2 (offset 135 lines).
> patching file Makefile.shared
> patching file config
> Hunk #3 succeeded at 488 (offset 6 lines).
> patching file makefile-uclinuxdist

curious what this patch is for ... where could i see it ?
-mike

On Fri, Nov 06, 2009, Mike Frysinger wrote:

If that's the one in RT then it shouldn't be needed with the recent backport of the cross compilation patch,
you should just set the outputs of uname on the target system and the
CROSS_COMPILE environment variable.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

On Fri, Nov 06, 2009, Dr. Stephen Henson wrote:

Oops, I forgot 0.9.8l is just 0.9.8k + the reneg patch and not 0.9.8-stable.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Hi Steve,
Dr. Stephen Henson schrieb:
> Oops, I forgot 0.9.8l is just 0.9.8k + the reneg patch and not 0.9.8-stable.
hmmm, that is really not what many would expect now; f.e. all folks who
reported bugs agaist 0.9.8k will now wonder why a version which is
released 8 months later does *not* contain the fixes although the RTs
where closed which normally indicate that the fix will show up with next
release.

Gün.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

On Friday 06 November 2009 21:30:07 Guenter wrote:
> Dr. Stephen Henson schrieb:
> > Oops, I forgot 0.9.8l is just 0.9.8k + the reneg patch and not
> > 0.9.8-stable.
>
> hmmm, that is really not what many would expect now; f.e. all folks who
> reported bugs agaist 0.9.8k will now wonder why a version which is
> released 8 months later does *not* contain the fixes although the RTs
> where closed which normally indicate that the fix will show up with next
> release.

or why some fixes for other CVEs that were included in 0.9.8-stable arent in
the next 0.9.8 release ...
-mike

On Sat, Nov 07, 2009, Guenter wrote:

> Hi Steve,
> Dr. Stephen Henson schrieb:
> > Oops, I forgot 0.9.8l is just 0.9.8k + the reneg patch and not 0.9.8-stable.
> hmmm, that is really not what many would expect now; f.e. all folks who
> reported bugs agaist 0.9.8k will now wonder why a version which is
> released 8 months later does *not* contain the fixes although the RTs
> where closed which normally indicate that the fix will show up with next
> release.
>

It was decided that the volume of changes in 0.9.8-stable meant that a
0.9.8k+reneg patch was the best option to get a fix out quickly with least
chance of any other issues.

First I heard about this (including the reneg issues) was Wednesday while on
vacation (and I still am).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Dr. Stephen Henson wrote:
And AIUI if the new draft RFC seems sensible, .8m follows quickly.

Which suggests that trusting 0_9_8 branch would be sensible, so that the whole
project feels comfortable shipping such bug fixes plus the full monty solution.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Philip A. Prindeville wrote:
> On 11/05/2009 12:19 PM, Mike Frysinger wrote:
>> On Thursday 05 November 2009 11:53:54 Ben Laurie wrote:
>>  
>>>    OpenSSL version 0.9.8l released
>>>    
>> the tarball seems to contain files it shouldnt:
>> $ tar tf openssl-0.9.8l.tar.gz | egrep '(orig|rej|~)'

<snip>

Yep, this is somewhat annoying.

> Can someone recut the tarball minus the cruft?

I believe the following commands executed in openssl-0.9.8l directory
after unpacking will clear most of the surplus stuff:

rm *~
apps/ca.c.fixed \
ssl/ssl_err.c.orig \
ssl/s3_srvr.c.orig \
ssl/ssl.h.orig \
Configure.orig \
Configure.rej \
BenConf \
apps/Makefile.save \
apps/ca.c.~1.149.2.5.~ \
crypto/Makefile.save \
crypto/opensslv.h.~1.44.2.44.~ \
ssl/d1_pkt.c.~1.4.2.13.~ \
ssl/flags \
ssl/s3_lib.c.~1.74.2.23.~ \
ssl/s3_pkt.c.~1.57.2.4.~ \
ssl/ssl3.h.~1.30.2.5.~
find . -type f -name '*.save' -delete

At least recursive diff between 0.9.8k and 0.9.8l returns reasonable
stuff after that.


v.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...