Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: jansson

jansson (2.13.1-1ubuntu1) groovy; urgency=medium * debian/patches/git_new_sphinx.patch: - backport an upstream change to fix the build with sphinx3 (Closes: #963640) -- Sebastien Bacher <seb128@debian.org> Tue, 29 Sep 2020 15:16:23 +0200

Modifications :
  1. Download patch debian/patches/git_new_sphinx.patch

    --- 2.13.1-1/debian/patches/git_new_sphinx.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.1-1ubuntu1/debian/patches/git_new_sphinx.patch 2020-09-28 10:44:49.000000000 +0000 @@ -0,0 +1,66 @@ +From 798d40c3f3e0700501de1588274b69e2b128ad7c Mon Sep 17 00:00:00 2001 +From: Pierce Lopez <pierce.lopez@gmail.com> +Date: Fri, 7 Aug 2020 01:54:45 -0400 +Subject: [PATCH] doc: convert refcounting directive to a class + +Directive functions are no longer supported in Sphinx-3.0 +but directive classes have been supported since early 1.x +--- + doc/ext/refcounting.py | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/doc/ext/refcounting.py b/doc/ext/refcounting.py +index bba26849..e72c481c 100644 +--- a/doc/ext/refcounting.py ++++ b/doc/ext/refcounting.py +@@ -24,8 +24,8 @@ + """ + + from docutils import nodes ++from docutils.parsers.rst import Directive + +-class refcounting(nodes.emphasis): pass + + def visit(self, node): + self.visit_emphasis(node) +@@ -40,16 +40,25 @@ def html_depart(self, node): + self.body.append('</em>') + + +-def refcounting_directive(name, arguments, options, content, lineno, +- content_offset, block_text, state, state_machine): +- if arguments[0] == 'borrow': +- text = 'Return value: Borrowed reference.' +- elif arguments[0] == 'new': +- text = 'Return value: New reference.' +- else: +- raise Error('Valid arguments: new, borrow') ++class refcounting(nodes.emphasis): ++ pass ++ ++class refcounting_directive(Directive): ++ has_content = False ++ required_arguments = 1 ++ optional_arguments = 0 ++ final_argument_whitespace = False ++ ++ def run(self): ++ if self.arguments[0] == 'borrow': ++ text = 'Return value: Borrowed reference.' ++ elif self.arguments[0] == 'new': ++ text = 'Return value: New reference.' ++ else: ++ raise Error('Valid arguments: new, borrow') ++ ++ return [refcounting(text, text)] + +- return [refcounting(text, text)] + + def setup(app): + app.add_node(refcounting, +@@ -57,4 +66,4 @@ def setup(app): + latex=(visit, depart), + text=(visit, depart), + man=(visit, depart)) +- app.add_directive('refcounting', refcounting_directive, 0, (1, 0, 0)) ++ app.add_directive('refcounting', refcounting_directive)
  2. Download patch debian/patches/series

    --- 2.13.1-1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.1-1ubuntu1/debian/patches/series 2020-09-28 10:44:49.000000000 +0000 @@ -0,0 +1 @@ +git_new_sphinx.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: kdnssd-kf5

kdnssd-kf5 (5.74.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.74.0) -- José Manuel Santamaría Lema <panfaust@gmail.com> Sun, 13 Sep 2020 10:58:42 +0100 kdnssd-kf5 (5.73.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.73.0) -- Rik Mills <rikmills@kde.org> Sat, 08 Aug 2020 10:57:31 +0100 kdnssd-kf5 (5.72.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.72.0) -- Rik Mills <rikmills@kde.org> Mon, 06 Jul 2020 20:32:09 +0100 kdnssd-kf5 (5.71.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.71.0) -- Rik Mills <rikmills@kde.org> Sun, 14 Jun 2020 12:05:47 +0100 kdnssd-kf5 (5.70.0-1ubuntu1) groovy; urgency=medium * Merge from debian unstable. Remaining changes: - Kubuntu Vcs fields. - debhelper-compat = 12 for backports. -- Rik Mills <rikmills@kde.org> Tue, 09 Jun 2020 23:01:09 +0100

Modifications :
  1. Download patch debian/upstream/metadata

    --- 5.74.0-1/debian/upstream/metadata 2020-09-26 21:07:33.000000000 +0000 +++ 5.74.0-0ubuntu1/debian/upstream/metadata 2020-09-13 09:58:42.000000000 +0000 @@ -1,7 +1,5 @@ -Bug-Database: https://bugs.kde.org/buglist.cgi?product=frameworks-kdnssd&resolution=--- -Bug-Submit: https://bugs.kde.org/enter_bug.cgi?product=frameworks-kdnssd -Changelog: https://invent.kde.org/frameworks/kdnssd/-/commits/master +Changelog: https://cgit.kde.org/kdnssd.git/log Donation: https://www.kde.org/community/donations/index.php -Repository: https://invent.kde.org/frameworks/kdnssd.git -Repository-Browse: https://invent.kde.org/frameworks/kdnssd +Repository: https://anongit.kde.org/kdnssd.git +Repository-Browse: https://cgit.kde.org/kdnssd.git Security-Contact: security@kde.org
  2. Download patch debian/control

    --- 5.74.0-1/debian/control 2020-09-26 20:55:13.000000000 +0000 +++ 5.74.0-0ubuntu1/debian/control 2020-09-13 09:58:42.000000000 +0000 @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Uploaders: Maximiliano Curia <maxy@debian.org> Build-Depends: cmake (>= 3.5~), - debhelper-compat (= 13), + debhelper-compat (= 12), doxygen, extra-cmake-modules (>= 5.74.0~), graphviz, @@ -15,15 +15,15 @@ Build-Depends: cmake (>= 3.5~), qttools5-dev (>= 5.4), qttools5-dev-tools (>= 5.4), Standards-Version: 4.5.0 -Homepage: https://invent.kde.org/frameworks/kdnssd -Vcs-Browser: https://salsa.debian.org/qt-kde-team/kde/kdnssd -Vcs-Git: https://salsa.debian.org/qt-kde-team/kde/kdnssd.git +Homepage: https://projects.kde.org/projects/frameworks/kdnssd +Vcs-Browser: https://code.launchpad.net/~kubuntu-packagers/kubuntu-packaging/+git/kdnssd +Vcs-Git: https://git.launchpad.net/~kubuntu-packagers/kubuntu-packaging/+git/kdnssd Rules-Requires-Root: no Package: libkf5dnssd-data Architecture: all -Depends: ${misc:Depends}, ${shlibs:Depends} Multi-Arch: foreign +Depends: ${misc:Depends}, ${shlibs:Depends} Description: Abstraction to system DNSSD features. KDNSSD is a library for handling the DNS-based Service Discovery Protocol (DNS-SD), the layer of @@ -32,8 +32,8 @@ Description: Abstraction to system DNSSD This package contains the data files. Package: libkf5dnssd-dev -Section: libdevel Architecture: any +Section: libdevel Depends: libkf5dnssd5 (= ${binary:Version}), qtbase5-dev (>= 5.12.0~), ${misc:Depends}, @@ -44,11 +44,11 @@ Description: development files for kdnss Zeroconf that allows network services. . Contains development files for kdnssd. -Breaks: libkf5kdelibs4support-dev (<< 5.54) Package: libkf5dnssd-doc Architecture: all Multi-Arch: foreign +Section: doc Depends: ${misc:Depends} Description: Abstraction to system DNSSD features (documentation) KDNSSD is a library for handling the DNS-based @@ -56,7 +56,6 @@ Description: Abstraction to system DNSSD Zeroconf that allows network services. . This package contains the qch documentation files. -Section: doc Package: libkf5dnssd5 Architecture: any
  3. Download patch debian/copyright

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libnss-ldap

libnss-ldap (265-5ubuntu1) bionic; urgency=medium * Merge with Debian; remaining changes: See 265-3ubuntu2). -- Matthias Klose <doko@ubuntu.com> Mon, 06 Nov 2017 16:14:44 +0100

Modifications :
  1. Download patch debian/po/ca.po
  2. Download patch debian/po/pt.po
  3. Download patch ldap-nss.c

    --- 265-5/ldap-nss.c 2017-11-06 18:40:22.000000000 +0000 +++ 265-5ubuntu1/ldap-nss.c 2017-11-06 18:40:23.000000000 +0000 @@ -534,8 +534,13 @@ do_atfork_parent (void) static void do_atfork_child (void) { + sigset_t unblock, mask; debug ("==> do_atfork_child"); + sigemptyset(&unblock); + sigaddset(&unblock, SIGPIPE); + sigprocmask(SIG_UNBLOCK, &unblock, &mask); do_close_no_unbind (); + sigprocmask(SIG_SETMASK, &mask, NULL); _nss_ldap_leave (); debug ("<== do_atfork_child"); }
  4. Download patch debian/patches/0001-fix-for-BUG-414-SIGPIPE-handling-in-atfork.patch

    --- 265-5/debian/patches/0001-fix-for-BUG-414-SIGPIPE-handling-in-atfork.patch 1970-01-01 00:00:00.000000000 +0000 +++ 265-5ubuntu1/debian/patches/0001-fix-for-BUG-414-SIGPIPE-handling-in-atfork.patch 2016-10-19 21:01:16.000000000 +0000 @@ -0,0 +1,25 @@ +From 964360883c5f5aed6e595e5e2d101d188bf8a61f Mon Sep 17 00:00:00 2001 +From: Luke Howard <lukeh@padl.com> +Date: Thu, 25 Feb 2010 10:57:30 +0000 +Subject: [PATCH] fix for BUG#414: SIGPIPE handling in atfork() +Origin: backport, https://github.com/PADL/nss_ldap/commit/964360883c5f5aed6e595e5e2d101d188bf8a61f +Bug-Ubuntu: https://launchpad.net/bugs/1397250 +Last-Update: 2016-10-21 + +diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c +--- nss_ldap/ldap-nss.c 2009-12-07 20:57:33.000000000 -0500 ++++ nss_ldap/ldap-nss.c 2009-12-07 20:58:56.000000000 -0500 +@@ -532,8 +532,13 @@ + static void + do_atfork_child (void) + { ++ sigset_t unblock, mask; + debug ("==> do_atfork_child"); ++ sigemptyset(&unblock); ++ sigaddset(&unblock, SIGPIPE); ++ sigprocmask(SIG_UNBLOCK, &unblock, &mask); + do_close_no_unbind (); ++ sigprocmask(SIG_SETMASK, &mask, NULL); + _nss_ldap_leave (); + debug ("<== do_atfork_child"); + }
  5. Download patch debian/rules

    --- 265-5/debian/rules 2013-08-30 21:37:57.000000000 +0000 +++ 265-5ubuntu1/debian/rules 2014-11-21 14:07:53.000000000 +0000 @@ -8,18 +8,14 @@ override_dh_auto_configure: --libdir=/lib/$(DEB_HOST_MULTIARCH) \ --enable-rfc2307bis \ --with-ldap-lib=openldap \ - --with-ldap-conf-file=/etc/libnss-ldap.conf \ - --with-ldap-secret-file=/etc/libnss-ldap.secret \ --enable-paged-results \ --enable-configurable-krb5-ccname-gssapi override_dh_install: - mv debian/libnss-ldap/usr/share/man/man5/nss_ldap.5 debian/libnss-ldap/usr/share/man/man5/libnss-ldap.conf.5 rm -rf debian/libnss-ldap/etc + dh_link -plibnss-ldap /lib/$(DEB_HOST_MULTIARCH)/libnss_ldap.so.2 \ + /usr/lib/$(DEB_HOST_MULTIARCH)/libnss_ldap.so dh_install - # change all references from /etc/ldap.conf to /etc/libnss-ldap.conf - for file in debian/libnss-ldap/usr/share/man/man5/libnss-ldap.conf.5 \ - debian/libnss-ldap/usr/share/libnss-ldap/ldap.conf ; do \ - sed -i -e 's:/etc/ldap.conf:/etc/libnss-ldap.conf:g' \ - -e 's:/etc/ldap.secret:/etc/libnss-ldap.secret:g' $$file; \ - done; + +override_dh_installinit: + dh_installinit -- start . stop 20 0 1 6 .
  6. Download patch debian/po/sk.po
  7. Download patch debian/po/nb.po
  8. Download patch debian/po/nl.po
  9. Download patch debian/LDAP-Permissions.txt

    --- 265-5/debian/LDAP-Permissions.txt 2013-08-02 19:59:49.000000000 +0000 +++ 265-5ubuntu1/debian/LDAP-Permissions.txt 2014-11-21 14:07:53.000000000 +0000 @@ -5,7 +5,7 @@ The following list describes the search uses for each database type in /etc/nsswitch.conf For each of the entries the search base is determined by the nss_base_... -parameter in /etc/libnss-ldap.conf. +parameter in /etc/ldap.conf. The search filters are used when the resprective functions are called. @@ -15,7 +15,7 @@ have been more correct. The information contained in the list may be used to determine the required permissions to objects and attributes in the directory for the accounts -referred to by 'binddn' and 'rootbinddn' in /etc/libnss-ldap.conf. +referred to by 'binddn' and 'rootbinddn' in /etc/ldap.conf. 'rootbinddn' is used if it is set and libnss-ldap is called with effective user id 0. In all other cases 'binddn' is used if it is set. If 'binddn is
  10. Download patch debian/control

    --- 265-5/debian/control 2016-10-01 22:22:46.000000000 +0000 +++ 265-5ubuntu1/debian/control 2017-11-06 15:14:44.000000000 +0000 @@ -1,10 +1,10 @@ Source: libnss-ldap Section: admin Priority: extra -Maintainer: Debian QA Group <packages@qa.debian.org> +XSBC-Original-Maintainer: Richard A Nelson (Rick) <cowboy@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9), dh-autoreconf, po-debconf (>= 0.5.0), - autotools-dev, libldap2-dev, libkrb5-dev, libsasl2-dev +Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev, libldap2-dev, libkrb5-dev, libsasl2-dev Homepage: http://www.padl.com/OSS/nss_ldap.html Vcs-Svn: svn://anonscm.debian.org/collab-maint/deb-maint/libnss-ldap/trunk/ Vcs-Browser: http://anonscm.debian.org/viewvc/collab-maint/deb-maint/libnss-ldap/trunk/ @@ -14,7 +14,8 @@ Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} -Recommends: nscd, libpam-ldap +Recommends: libpam-ldap, ldap-auth-config +Suggests: nscd Description: NSS module for using LDAP as a naming service This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information,
  11. Download patch .pc/applied-patches

    --- 265-5/.pc/applied-patches 2017-11-06 18:40:23.046337232 +0000 +++ 265-5ubuntu1/.pc/applied-patches 2017-11-06 18:40:23.322344887 +0000 @@ -11,3 +11,4 @@ spelling-fix.patch glibc-2.16.patch fix-nsswitch-example.patch reproducible-build.patch +0001-fix-for-BUG-414-SIGPIPE-handling-in-atfork.patch
  12. Download patch debian/po/POTFILES.in

    --- 265-5/debian/po/POTFILES.in 2013-08-02 19:59:49.000000000 +0000 +++ 265-5ubuntu1/debian/po/POTFILES.in 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -[type: gettext/rfc822deb] templates
  13. Download patch debian/nssldap-update-ignoreusers

    --- 265-5/debian/nssldap-update-ignoreusers 1970-01-01 00:00:00.000000000 +0000 +++ 265-5ubuntu1/debian/nssldap-update-ignoreusers 2014-11-21 14:07:53.000000000 +0000 @@ -0,0 +1,69 @@ +#!/bin/sh -e +# +# nssldap-update-ignoreusers +# Copyright (C) 2008 Canonical Ltd. +# Author: Dustin Kirkland <kirkland@canonical.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +# Location of LDAP's nss_* configuration +CONF=/etc/ldap.conf +if [ ! -s $CONF ]; then + exit 0 +fi + +# Location of logged $CONF changes +LOGDIR="/var/lib/libnss-ldap" + +# Load threshold for ignoring uid's from $CONF +MIN=`grep "^nss_initgroups_minimum_uid " $CONF | tail -n 1 | awk '{print $2}'` + +# If unspecified, set to 1000 (ignore local system id's) to prevent boot hang +if [ -z $MIN ]; then + MIN=1000 +fi + +# Load existing list of ignored users from ldap.conf +LOADED_USERS=`grep "^nss_initgroups_ignoreusers " $CONF | tail -n 1 | awk '{print $2}'` + +# Build list of users to ignore based on specified minimum UID +users=`cat /etc/passwd | awk -F":" '{if ($3 <'$MIN') print $1 ","}' | xargs -i echo -n {}` + +# Merge the two lists, remove whitespace, sort alphabetically, prune duplicates +users=`echo "$LOADED_USERS,$users" | sed "s/ //g" | sed "s/,/\n/g" | sort | uniq | xargs -i echo -n {},` + +# Removing any leading or trailing commas +users=`echo "$users" | sed "s/^,//" | sed "s/,$//"` +confline="nss_initgroups_ignoreusers $users" + +# Build new conf file +tmpfile=`mktemp` +cat $CONF > $tmpfile +if grep "^nss_initgroups_ignoreusers " $CONF >/dev/null; then + sed -i "s/^nss_initgroups_ignoreusers .*$/$confline/g" $CONF +else + echo $confline >> $CONF +fi + +# If changes have occured, log the difference +if ! diff -up $tmpfile $CONF >/dev/null; then + timestamp=`date +%Y%m%d%H%M%S` + mkdir -p $LOGDIR 2>/dev/null || true + diff -up $tmpfile $CONF > $LOGDIR/ldap.conf.$timestamp.diff || true + logger -p syslog.info -t libnss-ldap "Modified $CONF, see changes in $LOGDIR/ldap.conf.$timestamp.diff" +fi +rm -f $tmpfile + +exit 0
  14. Download patch debian/po/fi.po
  15. Download patch debian/libnss-ldap.install

    --- 265-5/debian/libnss-ldap.install 2013-08-30 21:37:58.000000000 +0000 +++ 265-5ubuntu1/debian/libnss-ldap.install 2014-11-21 14:07:53.000000000 +0000 @@ -1 +1,7 @@ -ldap.conf /usr/share/libnss-ldap/ +nss_ldap.5 usr/share/man/man5 +ldap.conf usr/share/doc/libnss-ldap/examples +nsswitch.ldap usr/share/doc/libnss-ldap/examples +debian/LDAP-Permissions.txt usr/share/doc/libnss-ldap +debian/examples usr/share/doc/libnss-ldap +debian/nssldap-update-ignoreusers usr/sbin +debian/nssldap-update-ignoreusers.8 usr/share/man/man8
  16. Download patch .pc/0001-fix-for-BUG-414-SIGPIPE-handling-in-atfork.patch/ldap-nss.c
  17. Download patch debian/po/templates.pot
  18. Download patch debian/po/vi.po
  19. Download patch debian/templates

    --- 265-5/debian/templates 2013-08-02 19:59:49.000000000 +0000 +++ 265-5ubuntu1/debian/templates 1970-01-01 00:00:00.000000000 +0000 @@ -1,117 +0,0 @@ -Template: libnss-ldap/confperm -Type: boolean -Default: false -_Description: Make the configuration file readable/writeable by its owner only? - If you use passwords in your libnss-ldap configuration, it is usually a - good idea to have the configuration set with mode 0600 (readable and - writable only by the file's owner). - . - Note: As a sanity check, libnss-ldap will check if you have nscd installed - and will only set the mode to 0600 if nscd is present. - -Template: libnss-ldap/nsswitch -Type: note -_Description: nsswitch.conf not managed automatically - For the libnss-ldap package to work, you need to modify your - /etc/nsswitch.conf to use the "ldap" datasource. There is an example - file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can - be used as an example for your nsswitch setup, or it can be copied - over your current setup. - . - Also, before removing this package, it is wise to remove the "ldap" entries - from nsswitch.conf to keep basic services functioning. - -Template: shared/ldapns/base-dn -Type: string -Default: dc=example,dc=net -_Description: Distinguished name of the search base: - Please enter the distinguished name of the LDAP search base. Many sites - use the components of their domain names for this purpose. For example, - the domain "example.net" would use "dc=example,dc=net" as the - distinguished name of the search base. - -Template: libnss-ldap/dblogin -Type: boolean -Default: false -_Description: Does the LDAP database require login? - Choose this option if you can't retrieve entries from - the database without logging in. - . - Note: Under a normal setup, this is not needed. - -Template: libnss-ldap/override -Type: boolean -Default: true -_Description: Automatically update libnss-ldap's configuration file? - The libnss-ldap package may use debconf for its configuration. - . - If you choose this option, the configuration file will be prepended - with "###DEBCONF###"; you can disable the debconf updates by removing - that line. - . - All new installations will use this option by default. - -Template: libnss-ldap/binddn -Type: string -Default: cn=proxyuser,dc=example,dc=net -_Description: Unprivileged database user: - Please enter the name of the account that will be used to log in to the LDAP - database. - -Template: libnss-ldap/bindpw -Type: password -_Description: Password for database login account: - Please enter the password that will be used to log in to the LDAP database. - -Template: shared/ldapns/ldap_version -Type: select -Choices: 3, 2 -Default: 3 -_Description: LDAP version to use: - Please enter which version of the LDAP protocol should be used by - ldapns. It is usually a good idea to set this to the highest - available version number. - -Template: shared/ldapns/ldap-server -Type: string -Default: ldap://127.0.0.1/ -_Description: LDAP server Uniform Resource Identifier: - Please enter the URI of the LDAP server used. This is a string in the - form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also - be used. The port number is optional. - . - Note: It is usually a good idea to use an IP address; this reduces risks - of failure in the event name service is unavailable. - -Template: libnss-ldap/dbrootlogin -Type: boolean -Default: true -_Description: Special LDAP privileges for root? - This option will allow tools that perform requests to the nss system - with libnss-ldap as backend to return more information when called - as root. - . - If you are using NFS mounted /etc or any other custom setup, you should - disable this. - -Template: libnss-ldap/rootbinddn -Type: string -Default: cn=manager,dc=example,dc=net -_Description: LDAP account for root: - Please choose which account will be used for nss requests with root - privileges. - . - Note: For this to work the account needs permission to access the - attributes in the LDAP directory that are related to the users' shadow - entries as well as users' and groups' passwords. - -Template: libnss-ldap/rootbindpw -Type: password -_Description: LDAP root account password: - Please enter the password to use when libnss-ldap tries to - login to the LDAP directory using the LDAP account for root. - . - The password will be stored in a separate file /etc/libnss-ldap.secret - which will be made readable to root only. - . - Entering an empty password will re-use the old password.
  20. Download patch debian/po/da.po
  21. Download patch debian/libnss-ldap.dirs

    --- 265-5/debian/libnss-ldap.dirs 1970-01-01 00:00:00.000000000 +0000 +++ 265-5ubuntu1/debian/libnss-ldap.dirs 2014-11-21 14:07:53.000000000 +0000 @@ -0,0 +1,2 @@ +usr/share/doc/libnss-ldap +var/lib/libnss-ldap
  22. Download patch debian/po/ja.po
  23. Download patch debian/po/it.po
  24. Download patch debian/libnss-ldap.init

    --- 265-5/debian/libnss-ldap.init 1970-01-01 00:00:00.000000000 +0000 +++ 265-5ubuntu1/debian/libnss-ldap.init 2014-11-21 14:07:53.000000000 +0000 @@ -0,0 +1,34 @@ +#! /bin/sh -e + +### BEGIN INIT INFO +# Provides: libnss-ldap +# Required-Start: +# Required-Stop: mountall.sh +# Default-Start: +# Default-Stop: 0 1 6 +# Short-Description: Updates /etc/ldap.conf +# Description: Updates nss_initgroups_ignoreusers based on +# nss_initgroups_minimum_uid +### END INIT INFO + +PATH="/sbin:/bin:/usr/sbin:/usr/bin" +. /lib/lsb/init-functions + +case "$1" in + start) + ;; + restart|force-reload|stop) + log_action_begin_msg "Running nssldap-update-ignoreusers" + if nssldap-update-ignoreusers ; then + log_action_end_msg 0 + else + log_action_end_msg 1 + exit 1 + fi + ;; + *) + echo "Usage: $0 {start|restart|force-reload|stop}" + exit 1 + ;; +esac +exit 0
  25. Download patch debian/patches/series

    --- 265-5/debian/patches/series 2016-10-03 12:00:50.000000000 +0000 +++ 265-5ubuntu1/debian/patches/series 2017-11-06 15:14:44.000000000 +0000 @@ -11,3 +11,4 @@ spelling-fix.patch glibc-2.16.patch fix-nsswitch-example.patch reproducible-build.patch +0001-fix-for-BUG-414-SIGPIPE-handling-in-atfork.patch
  26. Download patch debian/README.Debian

    --- 265-5/debian/README.Debian 2013-08-02 19:59:49.000000000 +0000 +++ 265-5ubuntu1/debian/README.Debian 2014-11-21 14:07:53.000000000 +0000 @@ -18,10 +18,8 @@ the entries it asks about, nothing else. -- Sami Haahtinen <ressu@debian.org> - -Debian uses /etc/libnss-ldap.conf as libnss-ldap's configuration file and -/etc/libnss-ldap.secret as the file to store the password of the rootbinddn. +Ubuntu uses /etc/ldap.conf as libnss-ldap's configuration file and +/etc/ldap.secret as the file to store the password of the rootbinddn. See LDAP-Permissions.txt for details about the required LDAP permissions. - -- Peter Marschall <peter@adpm.de>
  27. Download patch debian/po/gl.po
  28. Download patch debian/nssldap-update-ignoreusers.8

    --- 265-5/debian/nssldap-update-ignoreusers.8 1970-01-01 00:00:00.000000000 +0000 +++ 265-5ubuntu1/debian/nssldap-update-ignoreusers.8 2014-11-21 14:07:53.000000000 +0000 @@ -0,0 +1,21 @@ +.TH "nssldap-update-ignoreusers" "8" "0.1" "Jamie Strandboge" "" +.SH "NAME" +.LP +nssldap\-update\-ignoreusers \- update ldap.conf based on nss_initgroups_minimum_uid +.SH "SYNTAX" +.LP +nssldap\-update\-ignoreusers +.SH "DESCRIPTION" +.LP +Updates nss_initgroups_ignoreusers in /etc/ldap.conf based on nss_initgroups_minimum_uid. +.SH "FILES" +.LP +\fI/etc/ldap.conf\fP +.br +\fI/var/lib/libnss\-ldap\fP +.SH "AUTHORS" +.LP +Dustin Kirkland <kirkland@canonical.com> +.SH "SEE ALSO" +.LP +ldap.conf(5) nss_ldap(5)
  29. Download patch debian/po/ru.po
  30. Download patch debian/po/pt_BR.po
  31. Download patch debian/patches/minimum_uid.patch

    --- 265-5/debian/patches/minimum_uid.patch 1970-01-01 00:00:00.000000000 +0000 +++ 265-5ubuntu1/debian/patches/minimum_uid.patch 2014-11-21 14:07:53.000000000 +0000 @@ -0,0 +1,29 @@ +diff -Naur ./nss_ldap-258.orig/ldap.conf nss_ldap-258/ldap.conf +--- ./nss_ldap-258.orig/ldap.conf 2007-10-12 18:10:10.000000000 -0400 ++++ nss_ldap-258/ldap.conf 2008-04-22 14:18:14.000000000 -0400 +@@ -311,3 +311,7 @@ + # Override the default Kerberos ticket cache location. + #krb5_ccname FILE:/etc/.ldapcache + ++# List of users to ignore when doing LDAP lookups. Defaults to ++# all users with uid under 1000. Use nss_initgroups_minimum_uid to change ++# the default. ++nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data +diff -Naur ./nss_ldap-258.orig/nss_ldap.5 nss_ldap-258/nss_ldap.5 +--- ./nss_ldap-258.orig/nss_ldap.5 2007-10-12 18:10:10.000000000 -0400 ++++ nss_ldap-258/nss_ldap.5 2008-04-22 14:12:34.000000000 -0400 +@@ -445,6 +445,14 @@ + to return NSS_STATUS_NOTFOUND if called with a listed users as + its argument. + .TP ++.B nss_initgroups_minimum_uid <uid number> ++This option updates ++.B nss_initgroups_ignoreusers ++to have all uids under the specified uid number. Please note that ++you will have to reboot or use ++.B /etc/init.d/libnss-ldap restart ++for this to take affect. ++.TP + .B nss_getgrent_skipmembers <yes|no> + Specifies whether or not to populate the members list in + the group structure for group lookups. If very large groups
  32. Download patch debian/libnss-ldap.postinst
  33. Download patch debian/po/fr.po
  34. Download patch debian/po/sv.po
  35. Download patch debian/libnss-ldap.postrm

    --- 265-5/debian/libnss-ldap.postrm 2013-11-21 22:07:39.000000000 +0000 +++ 265-5ubuntu1/debian/libnss-ldap.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -#!/bin/sh - -set -e - -CONFFILE="/etc/libnss-ldap.conf" -PASSWDFILE="/etc/libnss-ldap.secret" - -action=$1 - -if [ "$action" = "purge" ] && \ - [ "$(dpkg-query -f '${db:Status-Abbrev} ${binary:Package}\n' -W libnss-ldap | grep -v '^.n' | wc -l)" = 1 ] ; then - rm -f $CONFFILE $PASSWDFILE -fi - -#DEBHELPER#
  36. Download patch debian/po/cs.po
  37. Download patch debian/po/es.po
  38. Download patch debian/config

    --- 265-5/debian/config 2013-08-30 20:50:15.000000000 +0000 +++ 265-5ubuntu1/debian/config 1970-01-01 00:00:00.000000000 +0000 @@ -1,97 +0,0 @@ -#!/usr/bin/perl -# Debconf configuration script for PADL-ldap tools. -# By Sami Haahtinen <ressu@debian.org> - -$conffile="/etc/libnss-ldap.conf"; -$action=shift; -$from_version=shift; - -use Debconf::Client::ConfModule ':all'; -version('2.0'); - -# Not yet.. i'll prolly fix this later... -# my $capb=capb('backup'); - -my @ret; -my @current_config; - -# The 'override' thing really ought to go, but let's see how this works -# out first. - -if(-e $conffile) { - open CONFIG, "<$conffile"; - if(<CONFIG> =~ /^###DEBCONF###$/) { - set("libnss-ldap/override", "true"); - } else { - my $oldval=get("libnss-ldap/override"); - set("libnss-ldap/override", "false"); - if ($oldval eq "true") { - fset("libnss-ldap/override", "seen", "false") - } - - # well, this was a screwy from the start.. lets make it more - # sane. priority is critical when running reconfigure, - # otherwise it's high.. - # -- i hope thats enough.. - - input($action =~ /reconfigure/ ? "critical" : "high", - "libnss-ldap/override"); - $ret=go(); - }; - @current_config = <CONFIG>; - close CONFIG; -} else { - set("libnss-ldap/override", "true"); -}; - -# ok, previously in Configuring LDAP services.. -# - Configuration file was tested for ###DEBCONF### and override was -# set accordingly. -# - Eric was dumped because of an secret affair with Karen. -# Tune in next time for the next episode of, configuring LDAP services.. - -if(get("libnss-ldap/override") eq "true") { - read_and_input('shared/ldapns/ldap-server', 'uri', 'critical'); - read_and_input('shared/ldapns/base-dn', 'base', 'critical'); - read_and_input('shared/ldapns/ldap_version', 'ldap_version', 'critical'); - $ret = go(); # yeah, we don't need that.. but in case we sometime do - - # Anyone with database that requires logging in should have - # atleast medium priority.. - input("medium", "libnss-ldap/dblogin"); - input("medium", "libnss-ldap/dbrootlogin"); - input("medium", "libnss-ldap/confperm"); - $ret = go(); - - if(get("libnss-ldap/dbrootlogin") eq "true") { - read_and_input('libnss-ldap/rootbinddn', 'rootbinddn', 'critical'); - input('critical', 'libnss-ldap/rootbindpw'); - $ret = go() - } - - if(get("libnss-ldap/dblogin") eq "true") { - # user wants to login.. - # we better set these at critical.. just in case - read_and_input('libnss-ldap/binddn', 'binddn', 'critical'); - read_and_input('libnss-ldap/bindpw', 'bindpw', 'critical'); - $ret = go(); - } -} - -input("critical", "libnss-ldap/nsswitch"); -$ret = go(); - -sub read_and_input -{ - my ($debconf_name, $conffile_name, $priority) = @_; - $priority = 'medium' unless $priority; - - my @valuelist = grep(/^$conffile_name\s/, @current_config); - if (@valuelist) { - my $value = pop(@valuelist); - chomp($value); - $value =~ s/^$conffile_name\s+//; - set($debconf_name, $value); - } - input($priority, $debconf_name); -}
  39. Download patch debian/po/de.po

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libnss-nis

libnss-nis (3.1-0ubuntu4) groovy; urgency=medium * Rebuild with glibc 2.32 in the archive -- Balint Reczey <rbalint@ubuntu.com> Thu, 10 Sep 2020 14:33:25 +0200 libnss-nis (3.1-0ubuntu3) groovy; urgency=medium * Bootstrap with glibc 2.32 -- Balint Reczey <rbalint@ubuntu.com> Sun, 06 Sep 2020 11:37:00 +0200 libnss-nis (3.1-0ubuntu2) groovy; urgency=medium * Rebuild to get on the i386 package list -- Balint Reczey <rbalint@ubuntu.com> Fri, 04 Sep 2020 18:24:23 +0200 libnss-nis (3.1-0ubuntu1) groovy; urgency=medium * debian/control: Break/Replace libc6 (<< 2.32) * Build-depend on libnsl-dev -- Balint Reczey <rbalint@ubuntu.com> Fri, 04 Sep 2020 17:08:46 +0200

Modifications :
  1. Download patch debian/control

    --- 3.1-1/debian/control 2020-08-20 17:13:02.000000000 +0000 +++ 3.1-0ubuntu4/debian/control 2020-09-10 12:33:25.000000000 +0000 @@ -1,9 +1,10 @@ Source: libnss-nis Section: admin Priority: optional -Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Uploaders: Aurelien Jarno <aurel32@debian.org> -Build-Depends: debhelper-compat (= 13), libtirpc-dev, pkg-config +Build-Depends: debhelper-compat (= 13), libnsl-dev, libtirpc-dev, pkg-config Rules-Requires-Root: no Standards-Version: 4.5.0 Vcs-Browser: https://salsa.debian.org/glibc-team/libnss-nis @@ -15,8 +16,13 @@ Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} -Conflicts: - libc6 [!alpha !ia64 !kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], +Breaks: + libc6 (<< 2.32) [!alpha !ia64 !kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], + libc6.1 [alpha ia64], + libc0.1 [kfreebsd-amd64 kfreebsd-i386], + libc0.3 [hurd-i386] +Replaces: + libc6 (<< 2.32) [!alpha !ia64 !kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], libc6.1 [alpha ia64], libc0.1 [kfreebsd-amd64 kfreebsd-i386], libc0.3 [hurd-i386]

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libnss-nisplus

libnss-nisplus (1.3-0ubuntu4) groovy; urgency=medium * Rebuild with glibc 2.32 in the archive -- Balint Reczey <rbalint@ubuntu.com> Thu, 10 Sep 2020 14:34:49 +0200 libnss-nisplus (1.3-0ubuntu3) groovy; urgency=medium * Bootstrap with glibc 2.32 -- Balint Reczey <rbalint@ubuntu.com> Sun, 06 Sep 2020 11:38:51 +0200 libnss-nisplus (1.3-0ubuntu2) groovy; urgency=medium * Rebuild to get on the i386 package list -- Balint Reczey <rbalint@ubuntu.com> Fri, 04 Sep 2020 18:25:17 +0200 libnss-nisplus (1.3-0ubuntu1) groovy; urgency=medium * debian/control: Conflict with libc6-dev (<< 2.32) * Build-depend on libnsl-dev * debian/control: Break/Replace libc6 (<< 2.32) -- Balint Reczey <rbalint@ubuntu.com> Fri, 04 Sep 2020 17:17:37 +0200

Modifications :
  1. Download patch debian/control

    --- 1.3-1/debian/control 2020-08-20 17:07:25.000000000 +0000 +++ 1.3-0ubuntu4/debian/control 2020-09-10 12:34:49.000000000 +0000 @@ -1,9 +1,10 @@ Source: libnss-nisplus Section: admin Priority: optional -Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Uploaders: Aurelien Jarno <aurel32@debian.org> -Build-Depends: debhelper-compat (= 13), pkg-config +Build-Depends: debhelper-compat (= 13), libnsl-dev, pkg-config Rules-Requires-Root: no Standards-Version: 4.5.0 Vcs-Browser: https://salsa.debian.org/glibc-team/libnss-nisplus @@ -15,8 +16,13 @@ Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} -Conflicts: - libc6 [!alpha !ia64 !kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], +Breaks: + libc6 (<< 2.32) [!alpha !ia64 !kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], + libc6.1 [alpha ia64], + libc0.1 [kfreebsd-amd64 kfreebsd-i386], + libc0.3 [hurd-i386] +Replaces: + libc6 (<< 2.32) [!alpha !ia64 !kfreebsd-amd64 !kfreebsd-i386 !hurd-i386], libc6.1 [alpha ia64], libc0.1 [kfreebsd-amd64 kfreebsd-i386], libc0.3 [hurd-i386]

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: lxqt-openssh-askpass

lxqt-openssh-askpass (0.15.0-0ubuntu1) groovy; urgency=medium * New upstream release. - Update upstream signing key. - Update LXQt build depends. * Bump Standards-version to 4.5.0, no changes needed. * Migrate to debhelper-compat. -- Simon Quigley <tsimonq2@ubuntu.com> Thu, 04 Jun 2020 14:06:26 -0500 lxqt-openssh-askpass (0.14.1-1ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - Update build depends. -- Raman Sarda <theloudspeaker@lubuntu.me> Fri, 31 Jan 2020 16:57:22 +0530

Modifications :
  1. Download patch debian/upstream/metadata

    --- 0.14.1-1/debian/upstream/metadata 2019-02-26 01:00:56.000000000 +0000 +++ 0.15.0-0ubuntu1/debian/upstream/metadata 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -Name: lxqt-openssh-askpass -Bug-Database: https://github.com/lxqt/lxqt-openssh-askpass/issues -Bug-Submit: https://github.com/lxqt/lxqt-openssh-askpass/issues/new -Changelog: https://github.com/lxqt/lxqt-openssh-askpass/blob/master/CHANGELOG -Repository: https://github.com/lxqt/lxqt-openssh-askpass -Repository-Browser: https://github.com/lxqt/lxqt-openssh-askpass -
  2. Download patch debian/rules

    --- 0.14.1-1/debian/rules 2019-02-26 01:00:56.000000000 +0000 +++ 0.15.0-0ubuntu1/debian/rules 2020-06-04 19:06:07.000000000 +0000 @@ -8,10 +8,8 @@ export DEB_BUILD_MAINT_OPTIONS = hardeni %: dh ${@} --buildsystem cmake -override_dh_missing: - dh_missing --fail-missing - override_dh_auto_configure: dh_auto_configure -- \ - -DUPDATE_TRANSLATIONS=OFF \ + -DPULL_TRANSLATIONS=OFF\ + -DUPDATE_TRANSLATIONS=OFF\ -DCMAKE_BUILD_TYPE=RelWithDebInfo
  3. Download patch debian/upstream/signing-key.asc

    --- 0.14.1-1/debian/upstream/signing-key.asc 2019-02-26 01:00:56.000000000 +0000 +++ 0.15.0-0ubuntu1/debian/upstream/signing-key.asc 2020-06-04 19:06:26.000000000 +0000 @@ -1,50 +1,52 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFXQeMMBEACif4+9pTrC6uNmRng0ZbzLh7p3cazmbnp2YFgDQDJZ7ZNmebxy -ngRuRhjGuDcFAL/37BwJnrBpfZFK9ljoH4Fo5Jm9cOELaTy7AIcEiV9dKMyrKF1E -C76d8jHVuzuPbI92DkFdLZAdk+qjrrAy0x43PvUd+aaBGLcFs1ZMk7gOvElc2d95 -zWWSp5anjukmGbp+EsStnWJkF6VHj56qmklfYy5ioiVBOSpXo/RsACAcIlz8C8A1 -d4tNMiB2uF2OrUfrL8DD6m3nBqep+AYbIQrxMl9kUQH3I33e9kH/L+SHQyE6phS8 -Czq06WjV4TcJ9VWxm7hQCNLYSxhZYYr1AW45lS5+xmfBOq2qeLgvjbFxa8PPrsp6 -Bqgt8MjwUkXjU5IB7YulUBvFU2l0MJZWDBuNy0oNtCe1cU3JyIqLKjvzQQQ9eD5L -o3Ul704TLHz0z+67Rxh05Mi4JvyFMjnooSJkNH8/7yXoBN0ZGOh1/5zMU1gK5bmP -6hKgis2exSZNIS74mF6/PqGgcwk3PyI4T3keUQoNPj11M2EznLHxY19QZfQ5oMed -8xOlHKjpcm8PYMB4gduNXlV7gI9h7UxuC5GuPiP2lmM6wUyHu48divxDk5UYgPEC -xlPI2wHCNDsuy0EruCYIvrMSZfpYCCSrmXiOORBLO5qXkauILLkJarHqjQARAQAB -tCBBbGYgR2FpZGEgPGFnYWlkYUBzaWR1Y3Rpb24ub3JnPokCOAQTAQIAIgUCVdB4 -wwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQQsnI069epeOT2xAAgSHf -41103cnElGf6TokPl4J6hdRPy2CUAjmBtMfr8eajYvGDGgnmsh9AGYGURjfFVCCf -Ag+8b6nF3xg03UmgsuSO8H78HGv9kKzF9aHmLt+SXq3jUX+LnIkFHErZWjFAKdJr -luu1j6ltxLe9PQljxZnugzMaUbW8eEPKvcriiDn3S4/DtikW/jpGA0MTY4ZWs9pZ -L/6iRRH99L2X/cWO4sCgDXCTt4oK0f5OvwiuCoVOM+PYoIm31JICCKOlqamkCn7d -2KH3nsy0v7tXgnrnb/zr8jVGsZLzUE51AFOzb5Ec74/2SAq8X4gbTppttLXEIooq -nbepitW/PePkPY5gpfwHtFbl88qFnir+ABMefqRZkzeh0tsxJVLVHGP1KZykXpv7 -96A6Q1h7Zo9Ny7WwN5Xl02g35LVCaPyzd3A8A4315uMuP3iziq57UktKqh9d5S3t -jfK7e9UfFQZBLfxn2sNPsjdYSNUQp/PXTTk/599h359WVuUIR866T8K7N7EEon3p -qLItZljQ9Nmr/yGwKi9iQgi2LtZj5KUcF1zBLzZKf95FvoqSZqBXdFSjm+eYGaCH -Q2IBnhyP92lEknSK9ystUJXmY69tQKBFqJxScwaS+7a/rfLKssQjSWxqk+SX4QeW -e9z9FUpo71bq0Zkc/M9aOCoEEmhg4Ob/JWy08oC5Ag0EVdB4wwEQAKZDCc/C41y0 -omLFCAJybvHiFScM+jOpyGpQvceoviEhIT7h1br/pnSEMkgPQEDPWJGtKueg1/94 -sXTH24uefr3Y6JdZoBtprxl4JXUoOndgq1QH1xuUsy3/9YWU8Qboy9j8a8w0oCDE -T8Z03KHCwqzD3K+44jhmhF+0eLoaaY8ohS8ziP+DcFKVHyatmS5yCCdjVrj6PxMp -uy/y5SXT1kmiPdVAIzQlM5DlN6o46TV+BH0pPvVYjtwf31o0FckJxy5S1v0koCNB -vX2b7tTDPKzn8G18eUVhGoUTZBUCp1gg36wJ0YY4xgZ9vI/xDCeHeAkyvGtaTAoy -qP4rHoUO5KVRSDh7frSlrdbLGWHaQwOhcqoKd4qP/164wHPGkgHL1vztdOc7l1wx -q3gMh2uwmJR0NRrw4WVuaIqL9lEbGBNijlmGsuqXfsMRhc/qoqgVDWvrcCtEoOwl -TONGobW3jpCCjpa9SeGNjxuY6IVLn0lfX4hItNVY9sFA+H+yj4uBQ7zsmMUXafxt -Yllm0f98yGNg5lnJg4bLOYu3IkpogUKNA3qkZ+6vRtwH70/bJGp7qdx/3G4W5dMX -asd/rJjdELW+R/NVULAmK1ETSklaa3Z6vbTu8bN8gvP8pmMJ8f/U8+qzkuAqc201 -Z4O+s7ZsQfTiz5mm7zPGIYTnppDSno/rABEBAAGJAh8EGAECAAkFAlXQeMMCGwwA -CgkQQsnI069epeMt0g/+JrwLhULD6NOxaLgxboh/KZkh/7ViU4cB+QPT8JIcWxkZ -zj8uk85TUitEUzKmjp/ItCrhQE5WNNWbz/FBnAuLtaQuHhcHMA3Vu95UUCGi1vyZ -ZRlS3YRM6S9BOzrjG7fGQJmO/RU3g6rb0TAwGFxDHj8t4JEDTc3zASG7wV/VTn06 -d8XIH9CZOw3kUuhkQ3OR/PEj1BCeCC+caC+tBjO0fgvDp8RV7NFQQ9kH8R3/xlWd -6KMPtILE6fUft6LubWRGd1P5JBuzXivELolASajewbYtL/s87CCji3ngq0aT9raK -m02wqFzNbX1iv+w2iqPQXq6pdRyxtJ8+Q8Z7zEBGJS5nkrYjsLTduZIjJHYHYH7f -3/ydVjQ3z12iqHKElgaRI7RUmpNiNxVIr+TtuxzeC6G+CF++XNkUtJODvCmRaoJS -waYsitz8+LSv3tawZJ0iQkKc9nerQMuBD+AzIr3i4NgXiEIN513esUtnKzeyIIsL -ntUcBjXKuLCj8OZrZtexjq7edWWbN57/3ikyS2Z7y0i3O30qk5jmccSaS6kA7xTY -WCDFzbN2v2y+vGu9KYn+2HtrP2BtNa8JTh3waNeLUTpn4GV4mMrsZjOy6vhhHb91 -1TKfI1gvjk7lE9xaWmcDjdI55dw3jIq8kK9SdgORGq9/S3g7KJNRjme+6GjqQfk= -=h7ww +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF6cxrwBEADfl3ydxNfLBbWGPesXty2baQgixZ3D6aCxadI2kX+aikmT8rd0 +ttDKN18cXV52Ssxnj0qhgf4hwnu/b0be6BzqSEyGM+UQR3X2CYpxrMakfW32Q18K +X5ec0RPR2ucBq9G0r9t6FYC8FkJ4uQUU3xxrLW3z302S0Makjgzm8BV9WrFQ7oFF +uJQj0BHbHYC4RyaZb2AfxY4Y92BPGTjtGekWqgw6vEXCCnvAbGYVQzvxZt3nw21/ +1YmV4g7xhGFQPbOf9v3ejFUJeJIGzuJf5NAh7kvfCdUBAGYH0gnj0GpOve4ftnaG +sAId2CQwm3oYF4Tu7yBPTOBpkaKkNaT+UdwTyeKERuCZ9ocZWX++/YF9ItRkJ5mM +zoP1GluWn2atNWpRh/K97gyAGgr2fSmrAA4d1JrVbMujZAHoHAOKwJKqX9jPziPZ +BFHfhcIOzG3ZhXAuumHsd7uwfPBVt20g+G+cOjBghbSSu9EOtMkAZl1g3ybvZixu +Jtxa5exZWEmU7vtytEb8eq9Dj5XcGoTDbErE2RpJ/20HPzhyRKg9RN4iGS+0OiHS +oRbDi5IEOizvQjp2bsBmfa3rsoDSOqF2pevp+u8I56I6bU1GFpxxNC5IGvgo2Q79 +quz0oIk5hs3eLlUdEYsLGwR6pWJaJyf36vuDsq7iLrLyvHI5irAowO4r1QARAQAB +tCVQZWRyYW0gUG91cmFuZyA8dHN1amFuMjAwMEBnbWFpbC5jb20+iQJOBBMBCAA4 +FiEEGd/fOleb1QnbtXLYvnkwB60i334FAl6cxrwCGwMFCwkIBwIGFQoJCAsCBBYC +AwECHgECF4AACgkQvnkwB60i335f9RAAgRpn8gUa/l10UkVAnpM2Cz0MuNMwwCOq +IfVnuZuPBtYYiTU5Su++/aPZe3fF5B4v61F+XjNi7qeVL2t52X3jZ/iIx9Syasb+ +vDAIfQ5t6lKXvOptWxf6vteOg6CHbXwpGHbPjUkUS2vQwRikjBnR0SnkrMoXtgSX +amPFqsitNrOhEJfeDfo0NzKESZuliWrCFt2v8c5q18G8cCZAvPLBlGuwRl58cDep +3EIibMI/9MUSJbKoiHlK+LcHtG7BQTNis/e7Pe1PkRmExfhxe1lNajtOx8FO72Tq +B6zY6drippM9VaIc1M+zp9BRpsFu8whOmapCqlXHRgAK8xTdQRIGInQFqLWPOxSC +f0B6N+EvQvgkyFQ1rW+u91OJBma46uKkhrwf+mDttVRncaIAkgE6e6pqm18yIPFk +D42rt/yHcOl+2qkcJS3gPcg5UvlCzqOwg1rKZQIk+TcPuDx3r2UghDEYZN9X6vw3 +zCBufr7ygZNf4tkbnVARFWTR4GzyCseFkWgOVZL9DccAhs8NeMy1WLkUzB75adeR +3LONmEL7xOI8FuknKY4e6EcWhmstNIDgXfRe0hwO0VBdW3unoZC/K2ZM/ZuZyMdK +TFjvYJrNewmymKge68wo0054bGZn8oz17i2AosJz7kW+ITsxmxhVcpfl4bav9Neq +RpQwhnhK9bC5Ag0EXpzGvAEQANbeRHFbpgQVIqV9WVOVnTj4FIqrTPTPKKa02vJA +7tGpgFapgvjdxnMxJfV6wuwOBUUFLR7DrXlV8EVFAYc5qTIeSQXvJsWw6gQ3+f0D +z13oGOhZPBIzIKnV/MZI/jhIio8kSPWAuM5hR2X9Hvw3/CLo+H+hZZ6cFYoCxrQS +tTzcKMkdQizLLa+WNbqUSxg6I/P5k/smUDY9gKW7RtI5t/PupA3WTnsVD6CYWa3Q +c1O/1mUgqT6nQ5N9KCPpjZQRT6D6eIMmePtS85z4PPeYMJxPsKRYWPGRxKhCSdZl +/0wsC8aRtmwYT729e0ZgTAmUnj+rQp5hboF/ZPFjIoXR9G+0HnoY0a/nqVO4lUON +AV25GnMFGVyiHHlbH/0gboywwnzEg8BZbk+Z/61oOzBIW09sfG8fn8bsbkpL+nHf +Mi/Vauge6wSfw7I5AfSiwrSDNHmKVsu39koWV6JGxEeFr2MffF+CuaoJCNOr/ZII +SYR5ku3Y/lMKyUH1Oas0RWzFrdRcInqYK90A0x083zP4V445MvCwbRPzQAkm9wOP +kILLhE5FW+9/O0/9bpx4joJUDLV4d3hFZy7GSHKiZUs1QW6BV75JQKqoi+cVt+/L ++o1S8CMNekjqdC2mWRosM3doo51zT/FWNzQA1QcoZP2hORJDfw66y+4wPq6o8y1W +jR35ABEBAAGJAjYEGAEIACAWIQQZ3986V5vVCdu1cti+eTAHrSLffgUCXpzGvAIb +DAAKCRC+eTAHrSLffgbJD/4qW5YOo/BayBhaUh2L7VP7JNlECb/2xNNOFKI1NjNr +nOmgSJLzf74Uhmt5W+iVjmJBHrDceprIPkizmPrn90kIsPIMtHIDNxzUgKZHbnza +j1vZyAeC+JV79X1hOVpprj1TJwy65lpxXNyYnGqeIOgyFokn9fOHXv8aMQwpNuUr +bdUJ1C75jYrvwy/NR1DczIFFYgsbkDGDtjVBjyMc5JAgvUBz37/iVPJfWP6dKVnf +abRnUVzHgvgK7bnab00SA1TiWvjHURGjo+5rnRtv8X/AgStc2Phjq68TMIgMn0F2 +kjUVvfQotNqzo9madNshvUDmsGtAzKh4e0dS1ear7u3nRp4Z7fqSrTEtXKNbEPwZ +wdWrWmmQLacNQBSe/FtcMzGF6xIVr4lnrL0bFjqBdQpdTC7vns3QSKk8/GFiEfpv +kzXrDbGV7jX2OWDjNHKcmXX2+E1CsNaJgS7zOgZw5jvbvlTLJUwyYNlM1VLI2OFW +Oa86l8pqli+B7rpTbsAE9Ut8qUaWjm87oUNSJbaKgqNnMaE+b/8VJaEeWHgQJwsD +bJSJ/O/vzlRtDjOJ1JDlMRLs7TnOFeUh5pgwyaJoidYbJEiGlMGJbI6BjwhDTBFO +NLJtd3SsRjc7ICtGdCvej59IvCDTjxtkhx5okF03APi1aXpHQrE18/arFD7BpoGO +sw== +=gSIv -----END PGP PUBLIC KEY BLOCK-----
  4. Download patch debian/control

    --- 0.14.1-1/debian/control 2019-02-26 01:01:45.000000000 +0000 +++ 0.15.0-0ubuntu1/debian/control 2020-06-04 19:06:26.000000000 +0000 @@ -1,5 +1,6 @@ Source: lxqt-openssh-askpass -Maintainer: LXQt Packaging Team <pkg-lxqt-devel@lists.alioth.debian.org> +Maintainer: Lubuntu Developers <lubuntu-devel@lists.ubuntu.com> +XSBC-Original-Maintainer: LXQt Packaging Team <pkg-lxqt-devel@lists.alioth.debian.org> Uploaders: Alf Gaida <agaida@siduction.org>, ChangZhuo Chen (陳昌倬) <czchen@debian.org>, Andrew Lee (李健秋) <ajqlee@debian.org>, @@ -9,23 +10,22 @@ Section: x11 Priority: optional Build-Depends: debhelper-compat (= 12), libkf5windowsystem-dev, - liblxqt0-dev (>= 0.14.1~), + liblxqt0-dev (>= 0.15.0), libqt5svg5-dev, libqt5x11extras5-dev, libx11-dev -Standards-Version: 4.3.0 -Vcs-Browser: https://salsa.debian.org/lxqt-team/lxqt-openssh-askpass -Vcs-Git: https://salsa.debian.org/lxqt-team/lxqt-openssh-askpass.git +Standards-Version: 4.5.0 +Vcs-Browser: https://phab.lubuntu.me/source/lxqt-openssh-askpass/ +Vcs-Git: https://phab.lubuntu.me/source/lxqt-openssh-askpass.git +XS-Debian-Vcs-Browser: https://salsa.debian.org/lxqt-team/lxqt-openssh-askpass +XS-Debian-Vcs-Git: https://salsa.debian.org/lxqt-team/lxqt-openssh-askpass.git Homepage: https://github.com/lxqt/lxqt-openssh-askpass Package: lxqt-openssh-askpass Architecture: any Provides: ssh-askpass -Depends: ${misc:Depends}, - ${shlibs:Depends}, -Recommends: lxqt-openssh-askpass-l10n, - lxqt-qtplugin, - lxqt-session +Depends: ${misc:Depends}, ${shlibs:Depends} +Recommends: lxqt-openssh-askpass-l10n, lxqt-qtplugin, lxqt-session Suggests: lxqt | lxqt-core Description: OpenSSH user/password GUI dialog for LXQt This module handles openssh security password access for LXQt. The openssh @@ -56,9 +56,8 @@ Package: lxqt-openssh-askpass-l10n Architecture: all Multi-Arch: foreign Section: localization -Depends: ${misc:Depends}, - qttranslations5-l10n +Depends: qttranslations5-l10n, ${misc:Depends} Breaks: lxqt-openssh-askpass (<< 0.11.0) Replaces: lxqt-openssh-askpass (<< 0.11.0) Description: Language package for lxqt-openssh-askpass - This package contains the l10n files needed by the lxqt-openssh-askpass. + This package contains the l10n files needed by lxqt-openssh-askpass.
  5. Download patch CHANGELOG

    --- 0.14.1-1/CHANGELOG 2019-02-25 22:11:13.000000000 +0000 +++ 0.15.0-0ubuntu1/CHANGELOG 2020-04-23 21:10:05.000000000 +0000 @@ -1,3 +1,8 @@ +lxqt-openssh-askpass-0.15.0 / 2020-04-23 +======================================== + * Bumped version to 0.15.0. + * Removed (duplicated) string casts definitions. + lxqt-openssh-askpass-0.14.1 / 2019-02-25 ========================================
  6. Download patch debian/manpages

    --- 0.14.1-1/debian/manpages 2019-02-26 01:00:56.000000000 +0000 +++ 0.15.0-0ubuntu1/debian/manpages 2020-06-04 19:06:07.000000000 +0000 @@ -1 +1 @@ -usr/share/man/man1/lxqt-openssh-askpass.1 +man/lxqt-openssh-askpass.1
  7. Download patch translations/lxqt-openssh-askpass_sk_SK.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_sk_SK.ts 1970-01-01 00:00:00.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_sk_SK.ts 2020-04-23 21:10:05.000000000 +0000 @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE TS> +<TS version="2.1" language="sk_SK"> +<context> + <name>MainWindow</name> + <message> + <location filename="../src/mainwindow.ui" line="14"/> + <source>OpenSSH Authentication Passphrase request</source> + <translation>Požiadavka na overenie heslovej frázy OpenSSH</translation> + </message> + <message> + <location filename="../src/mainwindow.ui" line="20"/> + <source>Enter your SSH passphrase for request:</source> + <translation>Zadajte SSH heslovú frázu:</translation> + </message> +</context> +<context> + <name>QObject</name> + <message> + <location filename="../src/main.cpp" line="52"/> + <source>unknown request</source> + <translation>Neznáma požiadavka</translation> + </message> +</context> +</TS>
  8. Download patch CMakeLists.txt

    --- 0.14.1-1/CMakeLists.txt 2019-02-25 22:11:13.000000000 +0000 +++ 0.15.0-0ubuntu1/CMakeLists.txt 2020-04-23 21:10:05.000000000 +0000 @@ -16,8 +16,8 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) option(UPDATE_TRANSLATIONS "Update source translation translations/*.ts files" OFF) # Minimum Versions -set(LXQT_MINIMUM_VERSION "0.14.1") -set(QT_MINIMUM_VERSION "5.7.1") +set(LXQT_MINIMUM_VERSION "0.15.0") +set(QT_MINIMUM_VERSION "5.10.0") find_package(Qt5LinguistTools ${QT_MINIMUM_VERSION} REQUIRED) find_package(Qt5Widgets ${QT_MINIMUM_VERSION} REQUIRED) @@ -25,9 +25,9 @@ find_package(lxqt ${LXQT_MINIMUM_VERSION message(STATUS "Building with Qt${Qt5Core_VERSION}") # Patch Version -set(LXQT_ASKPASS_PATCH_VERSION 1) +set(LXQT_ASKPASS_PATCH_VERSION 0) -set(LXQT_ASKPASS_VERSION ${LXQT_MAJOR_VERSION}.${LXQT_MINOR_VERSION}.${LXQT_ADMIN_ASKPASS_VERSION}) +set(LXQT_ASKPASS_VERSION ${LXQT_MAJOR_VERSION}.${LXQT_MINOR_VERSION}.${LXQT_ASKPASS_PATCH_VERSION}) add_definitions("-DLXQT_ASKPASS_VERSION=\"${LXQT_ASKPASS_VERSION}\"") include(LXQtPreventInSourceBuilds) @@ -70,14 +70,6 @@ add_executable(lxqt-openssh-askpass ${lxqt-openssh_QM_LOADER} ) -target_compile_definitions(lxqt-openssh-askpass - PRIVATE - "QT_NO_CAST_FROM_ASCII" - "QT_NO_CAST_TO_ASCII" - "QT_NO_URL_CAST_FROM_STRING" - "QT_NO_CAST_FROM_BYTEARRAY" -) - target_link_libraries(lxqt-openssh-askpass Qt5::Widgets lxqt
  9. Download patch translations/lxqt-openssh-askpass_arn.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_arn.ts 1970-01-01 00:00:00.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_arn.ts 2020-04-23 21:10:05.000000000 +0000 @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE TS> +<TS version="2.1" language="arn"> +<context> + <name>MainWindow</name> + <message> + <location filename="../src/mainwindow.ui" line="14"/> + <source>OpenSSH Authentication Passphrase request</source> + <translation type="unfinished"></translation> + </message> + <message> + <location filename="../src/mainwindow.ui" line="20"/> + <source>Enter your SSH passphrase for request:</source> + <translation type="unfinished"></translation> + </message> +</context> +<context> + <name>QObject</name> + <message> + <location filename="../src/main.cpp" line="52"/> + <source>unknown request</source> + <translation type="unfinished"></translation> + </message> +</context> +</TS>
  10. Download patch translations/lxqt-openssh-askpass_ast.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_ast.ts 1970-01-01 00:00:00.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_ast.ts 2020-04-23 21:10:05.000000000 +0000 @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE TS> +<TS version="2.1" language="ast"> +<context> + <name>MainWindow</name> + <message> + <location filename="../src/mainwindow.ui" line="14"/> + <source>OpenSSH Authentication Passphrase request</source> + <translation type="unfinished"></translation> + </message> + <message> + <location filename="../src/mainwindow.ui" line="20"/> + <source>Enter your SSH passphrase for request:</source> + <translation type="unfinished"></translation> + </message> +</context> +<context> + <name>QObject</name> + <message> + <location filename="../src/main.cpp" line="52"/> + <source>unknown request</source> + <translation type="unfinished"></translation> + </message> +</context> +</TS>
  11. Download patch translations/lxqt-openssh-askpass_en_GB.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_en_GB.ts 1970-01-01 00:00:00.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_en_GB.ts 2020-04-23 21:10:05.000000000 +0000 @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE TS> +<TS version="2.1" language="en_GB"> +<context> + <name>MainWindow</name> + <message> + <location filename="../src/mainwindow.ui" line="14"/> + <source>OpenSSH Authentication Passphrase request</source> + <translation>OpenSSH Authentication Passphrase request</translation> + </message> + <message> + <location filename="../src/mainwindow.ui" line="20"/> + <source>Enter your SSH passphrase for request:</source> + <translation>Enter your SSH passphrase for request:</translation> + </message> +</context> +<context> + <name>QObject</name> + <message> + <location filename="../src/main.cpp" line="52"/> + <source>unknown request</source> + <translation>unknown request</translation> + </message> +</context> +</TS>
  12. Download patch translations/lxqt-openssh-askpass_fr.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_fr.ts 2019-02-25 22:11:13.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_fr.ts 2020-04-23 21:10:05.000000000 +0000 @@ -11,7 +11,7 @@ <message> <location filename="../src/mainwindow.ui" line="20"/> <source>Enter your SSH passphrase for request:</source> - <translation>Entrez votre mot de passe SSH pour la requête :</translation> + <translation>Entrer votre mot de passe SSH pour la requête :</translation> </message> </context> <context>
  13. Download patch translations/lxqt-openssh-askpass_sv.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_sv.ts 1970-01-01 00:00:00.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_sv.ts 2020-04-23 21:10:05.000000000 +0000 @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE TS> +<TS version="2.1" language="sv"> +<context> + <name>MainWindow</name> + <message> + <location filename="../src/mainwindow.ui" line="14"/> + <source>OpenSSH Authentication Passphrase request</source> + <translation>OpenSSH Autentisering lösenord</translation> + </message> + <message> + <location filename="../src/mainwindow.ui" line="20"/> + <source>Enter your SSH passphrase for request:</source> + <translation>Ange ditt SSH-lösenord för begäran:</translation> + </message> +</context> +<context> + <name>QObject</name> + <message> + <location filename="../src/main.cpp" line="52"/> + <source>unknown request</source> + <translation>okänd begäran</translation> + </message> +</context> +</TS>
  14. Download patch debian/copyright
  15. Download patch translations/lxqt-openssh-askpass_cs.ts

    --- 0.14.1-1/translations/lxqt-openssh-askpass_cs.ts 2019-02-25 22:11:13.000000000 +0000 +++ 0.15.0-0ubuntu1/translations/lxqt-openssh-askpass_cs.ts 2020-04-23 21:10:05.000000000 +0000 @@ -6,12 +6,12 @@ <message> <location filename="../src/mainwindow.ui" line="14"/> <source>OpenSSH Authentication Passphrase request</source> - <translation>Požadavek na ověření heslovou frází OpenSSH</translation> + <translation>Požadavek z OpenSSH na ověření se heslovou frází</translation> </message> <message> <location filename="../src/mainwindow.ui" line="20"/> <source>Enter your SSH passphrase for request:</source> - <translation>Zadejte SSH heslovou frázi:</translation> + <translation>Zadejte heslovou frázi pro SSH:</translation> </message> </context> <context>

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: nss

nss (2:3.55-1ubuntu3) groovy; urgency=medium * Fix FTBFS due to erroneous glibc out-of-bounds checking with gcc 10 (LP: #1897666) - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Alex Murray <alex.murray@canonical.com> Tue, 29 Sep 2020 10:39:29 +0930 nss (2:3.55-1ubuntu1) groovy; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) * Added changes: - debian/patches/fix-ftbfs-s390x.patch: fix some uninitialized variable warnings and format overflows for s390x. -- Eduardo Barretto <eduardo.barretto@canonical.com> Mon, 17 Aug 2020 16:57:03 -0300

Modifications :
  1. Download patch debian/rules

    --- 2:3.55-1/debian/rules 2019-06-04 21:39:35.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/rules 2020-08-17 19:57:03.000000000 +0000 @@ -175,7 +175,7 @@ override_dh_strip: ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) # Check FIPS mode correctly works - mkdir debian/tmp + mkdir -p debian/tmp LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null endif
  2. Download patch debian/control

    --- 2:3.55-1/debian/control 2019-12-28 22:00:11.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/control 2020-08-17 19:57:03.000000000 +0000 @@ -1,9 +1,11 @@ Source: nss Section: libs Priority: optional -Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> Uploaders: Mike Hommey <glandium@debian.org> Build-Depends: debhelper (>= 9.20160403), + dh-exec, dpkg-dev (>= 1.17.14), libnspr4-dev (>= 2:4.24), zlib1g-dev,
  3. Download patch debian/libnss3.links
  4. Download patch debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch

    --- 2:3.55-1/debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch 2020-09-29 01:09:29.000000000 +0000 @@ -0,0 +1,31 @@ +Description: Fix FTBFS due to erroneous nonnull annotation in glibc getcwd() +Author: Alex Murray <alex.murray@canonical.com> + +This is still unresolved upstream but workaround it for now with this patch +to just disable the nonnull warnings via gcc pragmas around these call +sites + +Upstream bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96832 +--- a/nss/coreconf/nsinstall/nsinstall.c ++++ b/nss/coreconf/nsinstall/nsinstall.c +@@ -236,14 +236,20 @@ main(int argc, char **argv) + return 0; + + if (!cwd) { ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wnonnull" + cwd = GETCWD(0, PATH_MAX); ++#pragma GCC diagnostic pop + if (!cwd) + fail("could not get CWD"); + } + + /* make sure we can get into todir. */ + xchdir(todir); ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wnonnull" + todir = GETCWD(0, PATH_MAX); ++#pragma GCC diagnostic pop + if (!todir) + fail("could not get CWD in todir"); + tdlen = strlen(todir);
  5. Download patch debian/patches/fix-ftbfs-s390x.patch

    --- 2:3.55-1/debian/patches/fix-ftbfs-s390x.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/patches/fix-ftbfs-s390x.patch 2020-08-17 19:57:03.000000000 +0000 @@ -0,0 +1,122 @@ +Description: Fix FTBFS on s390x + error: ‘element’ may be used uninitialized in this function + error: ‘cmpResult’ may be used uninitialized in this function + error: ‘value’ may be used uninitialized in this function + error: sprintf may write a terminating nul past the end of the destination +Author: Eduardo Barretto <eduardo.barretto@canonical.com> + +--- nss-3.55.orig/nss/cmd/certutil/certext.c ++++ nss-3.55/nss/cmd/certutil/certext.c +@@ -327,7 +327,7 @@ AddKeyUsage(void *extHandle, const char + SECItem bitStringValue; + unsigned char keyUsage = 0x0; + char buffer[5]; +- int value; ++ int value = 0; + char *nextPos = (char *)userSuppliedValue; + PRBool isCriticalExt = PR_FALSE; + +@@ -510,7 +510,7 @@ static SECStatus + AddExtKeyUsage(void *extHandle, const char *userSuppliedValue) + { + char buffer[5]; +- int value; ++ int value = 0; + CERTOidSequence *os; + SECStatus rv; + SECItem *item; +@@ -664,7 +664,7 @@ AddNscpCertType(void *extHandle, const c + SECItem bitStringValue; + unsigned char keyUsage = 0x0; + char buffer[5]; +- int value; ++ int value = 0; + char *nextPos = (char *)userSuppliedValue; + PRBool isCriticalExt = PR_FALSE; + +--- nss-3.55.orig/nss/cmd/modutil/install.c ++++ nss-3.55/nss/cmd/modutil/install.c +@@ -816,6 +816,7 @@ rm_dash_r(char *path) + PRDirEntry *entry; + PRFileInfo fileinfo; + char filename[240]; ++ int count; + + if (PR_GetFileInfo(path, &fileinfo) != PR_SUCCESS) { + /*fprintf(stderr, "Error: Unable to access %s\n", filename);*/ +@@ -830,7 +831,11 @@ rm_dash_r(char *path) + + /* Recursively delete all entries in the directory */ + while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) { +- sprintf(filename, "%s/%s", path, entry->name); ++ count = snprintf(filename, sizeof(filename), "%s/%s", path, entry->name); ++ if (count >= sizeof(filename)) { ++ PR_fprintf(PR_STDERR, "Error: Unable to find filename %s\n", filename); ++ return -1; ++ } + if (rm_dash_r(filename)) { + PR_CloseDir(dir); + return -1; +--- nss-3.55.orig/nss/cmd/signtool/util.c ++++ nss-3.55/nss/cmd/signtool/util.c +@@ -121,6 +121,7 @@ rm_dash_r(char *path) + PRDirEntry *entry; + PRFileInfo fileinfo; + char filename[FNSIZE]; ++ int count; + + if (PR_GetFileInfo(path, &fileinfo) != PR_SUCCESS) { + /*fprintf(stderr, "Error: Unable to access %s\n", filename);*/ +@@ -137,7 +138,12 @@ rm_dash_r(char *path) + + /* Recursively delete all entries in the directory */ + while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) { +- sprintf(filename, "%s/%s", path, entry->name); ++ count = snprintf(filename, sizeof(filename), "%s/%s", path, entry->name); ++ if (count >= sizeof(filename)) { ++ PR_fprintf(errorFD, "Error: Unable to find filename %s.\n", filename); ++ errorCount++; ++ exit(ERRX); ++ } + if (rm_dash_r(filename)) + return -1; + } +--- nss-3.55.orig/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc ++++ nss-3.55/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc +@@ -157,12 +157,12 @@ class TlsCipherSuiteTestBase : public Tl + EXPECT_EQ(cipher_suite_, actual); + EXPECT_TRUE(server_->cipher_suite(&actual)); + EXPECT_EQ(cipher_suite_, actual); +- SSLAuthType auth; ++ SSLAuthType auth = {}; + EXPECT_TRUE(client_->auth_type(&auth)); + EXPECT_EQ(auth_type_, auth); + EXPECT_TRUE(server_->auth_type(&auth)); + EXPECT_EQ(auth_type_, auth); +- SSLKEAType kea; ++ SSLKEAType kea = {}; + EXPECT_TRUE(client_->kea_type(&kea)); + EXPECT_EQ(kea_type_, kea); + EXPECT_TRUE(server_->kea_type(&kea)); +--- nss-3.55.orig/nss/lib/libpkix/pkix/util/pkix_list.c ++++ nss-3.55/nss/lib/libpkix/pkix/util/pkix_list.c +@@ -1535,7 +1535,7 @@ PKIX_List_SetItem( + PKIX_PL_Object *item, + void *plContext) + { +- PKIX_List *element; ++ PKIX_List *element = NULL; + + PKIX_ENTER(LIST, "PKIX_List_SetItem"); + PKIX_NULLCHECK_ONE(list); +--- nss-3.55.orig/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c ++++ nss-3.55/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c +@@ -107,7 +107,7 @@ pkix_pl_OID_Equals( + PKIX_Boolean *pResult, + void *plContext) + { +- PKIX_Int32 cmpResult; ++ PKIX_Int32 cmpResult = 0; + + PKIX_ENTER(OID, "pkix_pl_OID_Equals"); + PKIX_NULLCHECK_THREE(first, second, pResult);
  6. Download patch debian/patches/series

    --- 2:3.55-1/debian/patches/series 2020-07-29 05:00:17.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/patches/series 2020-09-29 01:09:29.000000000 +0000 @@ -2,3 +2,7 @@ 80_security_tools.patch 85_security_load.patch 38_hppa.patch +disable_fips_enabled_read.patch +set-tls1.2-as-minimum.patch +fix-ftbfs-s390x.patch +fix-ftbfs-glibc-invalid-oob-error.patch
  7. Download patch debian/patches/set-tls1.2-as-minimum.patch

    --- 2:3.55-1/debian/patches/set-tls1.2-as-minimum.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/patches/set-tls1.2-as-minimum.patch 2020-08-17 19:57:03.000000000 +0000 @@ -0,0 +1,17 @@ +Description: Set TLSv1.2 as minimum TLS version. LP: #1856428 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428 + + +Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c +=================================================================== +--- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c ++++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c +@@ -96,7 +96,7 @@ static sslOptions ssl_defaults = { + * default range of enabled SSL/TLS protocols + */ + static SSLVersionRange versions_defaults_stream = { +- SSL_LIBRARY_VERSION_TLS_1_0, ++ SSL_LIBRARY_VERSION_TLS_1_2, + SSL_LIBRARY_VERSION_TLS_1_3 + }; +
  8. Download patch debian/patches/disable_fips_enabled_read.patch

    --- 2:3.55-1/debian/patches/disable_fips_enabled_read.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.55-1ubuntu3/debian/patches/disable_fips_enabled_read.patch 2020-08-17 19:57:03.000000000 +0000 @@ -0,0 +1,49 @@ +commit 16996a9156c9ff2924bdb19ff43d40617a41c912 +Author: Vineetha Kamath <vineetha.hari.pai@canonical.com> +Date: Tue Jul 23 15:32:32 2019 -0400 + +From: Vineetha Kamath<vineetha.hari.pai@canonical.com> +Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled +file and going into FIPS mode. libnss is not a FIPS +certified library. +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734 +Forwarded: not-needed + +Index: nss/nss/lib/freebl/nsslowhash.c +=================================================================== +--- nss.orig/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.964346182 -0400 ++++ nss/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.960346213 -0400 +@@ -27,11 +27,13 @@ + nsslow_GetFIPSEnabled(void) + { + #ifdef LINUX +- FILE *f; ++ FILE *f = NULL; + char d; + size_t size; + ++#if 0 + f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++#endif + if (!f) + return 0; + +Index: nss/nss/lib/sysinit/nsssysinit.c +=================================================================== +--- nss.orig/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:37.964346182 -0400 ++++ nss/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:59.844174516 -0400 +@@ -171,11 +171,13 @@ + getFIPSMode(void) + { + #ifndef NSS_FIPS_DISABLED +- FILE *f; ++ FILE *f = NULL; + char d; + size_t size; + ++#if 0 + f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++#endif + if (!f) { + /* if we don't have a proc flag, fall back to the + * environment variable */

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: nss-pem

nss-pem (1.0.6-2ubuntu1) groovy; urgency=medium * Fix FTBFS due to erroneous glibc out-of-bounds checking with gcc 10 - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Balint Reczey <rbalint@ubuntu.com> Wed, 07 Oct 2020 23:00:16 +0200

Modifications :
  1. Download patch debian/control

    --- 1.0.6-2/debian/control 2020-06-23 09:26:35.000000000 +0000 +++ 1.0.6-2ubuntu1/debian/control 2020-10-07 21:00:16.000000000 +0000 @@ -1,7 +1,8 @@ Source: nss-pem Section: libs Priority: optional -Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org> Uploaders: Timo Aaltonen <tjaalton@debian.org> Build-Depends: debhelper (>= 10), cmake,
  2. Download patch debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch

    --- 1.0.6-2/debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.6-2ubuntu1/debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch 2020-10-07 21:00:16.000000000 +0000 @@ -0,0 +1,31 @@ +Description: Fix FTBFS due to erroneous nonnull annotation in glibc getcwd() +Author: Alex Murray <alex.murray@canonical.com> + +This is still unresolved upstream but workaround it for now with this patch +to just disable the nonnull warnings via gcc pragmas around these call +sites + +Upstream bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96832 +--- a/nss/nss/coreconf/nsinstall/nsinstall.c ++++ b/nss/nss/coreconf/nsinstall/nsinstall.c +@@ -236,14 +236,20 @@ main(int argc, char **argv) + return 0; + + if (!cwd) { ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wnonnull" + cwd = GETCWD(0, PATH_MAX); ++#pragma GCC diagnostic pop + if (!cwd) + fail("could not get CWD"); + } + + /* make sure we can get into todir. */ + xchdir(todir); ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wnonnull" + todir = GETCWD(0, PATH_MAX); ++#pragma GCC diagnostic pop + if (!todir) + fail("could not get CWD in todir"); + tdlen = strlen(todir);
  3. Download patch debian/patches/series

    --- 1.0.6-2/debian/patches/series 2020-09-25 04:01:46.000000000 +0000 +++ 1.0.6-2ubuntu1/debian/patches/series 2020-10-07 21:00:16.000000000 +0000 @@ -1,2 +1,3 @@ migrate-to-nss-names.diff fix-ftbfs-s390x.patch +fix-ftbfs-glibc-invalid-oob-error.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: nss-wrapper

nss-wrapper (1.1.11-1ubuntu2) groovy; urgency=medium * d/t/tests: fix order of cmake arguments. -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 11 Sep 2020 15:41:18 -0300 nss-wrapper (1.1.11-1ubuntu1) groovy; urgency=medium * Make autopkgtests cross-test-friendly. -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Jun 2020 14:04:28 -0700

Modifications :
  1. Download patch debian/tests/control

    --- 1.1.11-1/debian/tests/control 2020-04-02 17:23:15.000000000 +0000 +++ 1.1.11-1ubuntu2/debian/tests/control 2020-06-10 21:03:08.000000000 +0000 @@ -1,10 +1,11 @@ Tests: tests Depends: libnss-wrapper, - gcc, libc-dev, - cmake (>= 2.8.8-3~), make, + build-essential, + libc6-dev, + cmake (>= 2.8.8-3~), libcmocka-dev, netbase Restrictions: allow-stderr Tests: adequate -Depends: libnss-wrapper, adequate +Depends: libnss-wrapper, adequate:native
  2. Download patch debian/control

    --- 1.1.11-1/debian/control 2020-04-02 18:44:47.000000000 +0000 +++ 1.1.11-1ubuntu2/debian/control 2020-06-10 21:04:28.000000000 +0000 @@ -1,7 +1,8 @@ Source: nss-wrapper Section: devel Priority: optional -Maintainer: Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org> Uploaders: Timo Aaltonen <tjaalton@debian.org> Build-Depends: debhelper-compat (= 12),
  3. Download patch debian/tests/tests

    --- 1.1.11-1/debian/tests/tests 2020-04-02 17:23:15.000000000 +0000 +++ 1.1.11-1ubuntu2/debian/tests/tests 2020-09-11 18:34:50.000000000 +0000 @@ -5,7 +5,19 @@ cd "$ADTTMP" rm -rf obj debian mkdir obj cd obj -cmake .. -DUNIT_TESTING=1 + +if [ -n "${DEB_HOST_GNU_TYPE:-}" ]; then + cat <<EOF > "$ADTTMP/toolchain.cmake" +set(CMAKE_C_COMPILER $DEB_HOST_GNU_TYPE-gcc) +set(CMAKE_CXX_COMPILER $DEB_HOST_GNU_TYPE-g++) +set(PKG_CONFIG_EXECUTABLE $DEB_HOST_GNU_TYPE-pkg-config) +EOF + CCFILE=-DCMAKE_TOOLCHAIN_FILE="$ADTTMP/toolchain.cmake" +else + CCFILE= +fi + +cmake "$CCFILE" -DUNIT_TESTING=1 .. make -C tests/ cd tests sed -e 's#\(LD_PRELOAD=\)[^;]*/\(libnss_wrapper.so\)#\1\2#' -i CTestTestfile.cmake

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: nsscache

nsscache (0.39-2ubuntu1) focal; urgency=medium * d/t/regtest: if apparmor is enabled, override the slapd profile before the test. (LP: #1862369) -- Andreas Hasenack <andreas@canonical.com> Fri, 07 Feb 2020 12:32:18 -0300

Modifications :
  1. Download patch debian/tests/regtest

    --- 0.39-2/debian/tests/regtest 2019-11-11 16:28:43.000000000 +0000 +++ 0.39-2ubuntu1/debian/tests/regtest 2020-02-07 15:32:18.000000000 +0000 @@ -13,7 +13,15 @@ else ARTIFACTS=${ADT_ARTIFACTS} fi +slapd_apparmor_bkp="${WORKDIR}/slapd_profile.bkp" +slapd_apparmor_override="/etc/apparmor.d/local/usr.sbin.slapd" +slapd_apparmor="/etc/apparmor.d/usr.sbin.slapd" + cleanup() { + if [[ -f "$slapd_apparmor_bkp" ]]; then + sudo mv "$slapd_apparmor_bkp" "$slapd_apparmor_override" + sudo /usr/sbin/apparmor_parser -r -T -W "$slapd_apparmor" + fi if [[ -e "$WORKDIR/slapd.pid" ]]; then kill -TERM $(cat $WORKDIR/slapd.pid) fi @@ -24,6 +32,28 @@ cleanup() { trap cleanup 0 INT QUIT ABRT PIPE TERM +apparmor_enabled() { + if [ -x /usr/sbin/aa-status ]; then + sudo /usr/sbin/aa-status --enabled && apparmor_enabled="0" || apparmor_enabled="1" + else + apparmor_enabled="1" + fi + return "$apparmor_enabled" +} + +override_apparmor() { + # backup existing override + cp -af "$slapd_apparmor_override" "$slapd_apparmor_bkp" + + # the test suite brings up a test slapd server running + # off /tmp/<tmpdir>. + echo "${WORKDIR}/ rw," | sudo tee "$slapd_apparmor_override" + echo "${WORKDIR}/** rwk," | sudo tee -a "$slapd_apparmor_override" + echo "${ARTIFACTS}/ rw," | sudo tee -a "$slapd_apparmor_override" + echo "${ARTIFACTS}/** rwk," | sudo tee -a "$slapd_apparmor_override" + sudo /usr/sbin/apparmor_parser -r -T -W "$slapd_apparmor" +} + setup_slapd() { set -e mkdir -p $WORKDIR/ldap @@ -101,6 +131,9 @@ check () { } check +if apparmor_enabled; then + override_apparmor +fi setup_slapd run_nsscache ldap nssdb run_nsscache ldap files

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: opendnssec

opendnssec (1:2.1.6-2ubuntu1) groovy; urgency=medium * Merge from Debian unstable. Remaining changes: - d/p/0016-mysql8_my_bool.patch: Reintroduce my_bool to fix build with MySQL 8. -- Logan Rosen <logan@ubuntu.com> Sun, 16 Aug 2020 14:55:35 -0400

Modifications :
  1. Download patch debian/control

    --- 1:2.1.6-2/debian/control 2020-02-26 13:03:00.000000000 +0000 +++ 1:2.1.6-2ubuntu1/debian/control 2020-07-27 21:46:41.000000000 +0000 @@ -1,7 +1,8 @@ Source: opendnssec Section: admin Priority: optional -Maintainer: Mathieu Mirmont <mat@parad0x.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Mathieu Mirmont <mat@parad0x.org> Uploaders: Timo Aaltonen <tjaalton@debian.org> Build-Depends: debhelper-compat (= 12),
  2. Download patch debian/patches/0016-mysql8_my_bool.patch

    --- 1:2.1.6-2/debian/patches/0016-mysql8_my_bool.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.1.6-2ubuntu1/debian/patches/0016-mysql8_my_bool.patch 2020-02-14 17:40:22.000000000 +0000 @@ -0,0 +1,17 @@ +Description: Reintroduce my_bool to fix build with MySQL 8 +Author: Andreas Hasenack <andreas@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/gambas3/+bug/1863026 +Forwarded: no +Last-Update: 2020-02-12 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/enforcer/src/db/db_backend_mysql.c ++++ b/enforcer/src/db/db_backend_mysql.c +@@ -33,6 +33,7 @@ + #include "log.h" + + #include <mysql/mysql.h> ++typedef bool my_bool; + #include <stdlib.h> + #include <stdio.h> + #include <unistd.h>
  3. Download patch debian/patches/series

    --- 1:2.1.6-2/debian/patches/series 2020-07-27 08:54:43.000000000 +0000 +++ 1:2.1.6-2ubuntu1/debian/patches/series 2020-08-16 18:55:34.000000000 +0000 @@ -8,3 +8,4 @@ 0015-remove-strptime-build-warning.patch 0016-m4-acx_libxml2.m4-use-pkg-config-instead-of-xml2-con.patch 0010-Mark-symbols-extern-for-gcc-10.patch +0016-mysql8_my_bool.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl

openssl (1.1.1f-1ubuntu4) groovy; urgency=medium * Cherrypick upstream fix for non-interactive detection on Linux. LP: #1879826 * Cherrypick AES CTR-DRGB: performance improvement LP: #1799928 * Skip services restart & reboot notification if needrestart is in-use LP: #1895708 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 15 Sep 2020 18:04:36 +0100 openssl (1.1.1f-1ubuntu3) groovy; urgency=medium * Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 25 Jun 2020 14:18:43 +0100 openssl (1.1.1f-1ubuntu2) focal; urgency=medium * SECURITY UPDATE: Segmentation fault in SSL_check_chain - debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in test/recipes/70-test_sslsigalgs.t. - debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c. - debian/patches/CVE-2020-1967-3.patch: fix test in test/recipes/70-test_sslsigalgs.t. - debian/patches/CVE-2020-1967-4.patch: fix test in test/recipes/70-test_sslsigalgs.t. - CVE-2020-1967 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 20 Apr 2020 07:53:50 -0400 openssl (1.1.1f-1ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 03 Apr 2020 18:31:00 +0100

Modifications :
  1. Download patch debian/po/ca.po

    --- 1.1.1f-1/debian/po/ca.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ca.po 2020-04-01 15:57:22.000000000 +0000 @@ -94,5 +94,24 @@ msgstr "" "Aquests els haureu d'iniciar manualment executant «/etc/init.d/<servei> " "start»." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + #~ msgid "${services}" #~ msgstr "${services}"
  2. Download patch debian/patches/0024-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-a.patch
  3. Download patch debian/patches/0001-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
  4. Download patch debian/tests/control

    --- 1.1.1f-1/debian/tests/control 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/tests/control 2020-04-01 15:57:11.000000000 +0000 @@ -1,3 +1,3 @@ Tests: run-25-test-verify -Depends: openssl, perl +Depends: openssl, perl:native Restrictions: rw-build-tree, allow-stderr
  5. Download patch debian/po/lt.po

    --- 1.1.1f-1/debian/po/lt.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/lt.po 2020-04-01 15:57:22.000000000 +0000 @@ -103,3 +103,22 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  6. Download patch debian/patches/pic.patch

    --- 1.1.1f-1/debian/patches/pic.patch 2020-03-31 21:49:47.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/pic.patch 2020-06-25 13:18:26.000000000 +0000 @@ -9,10 +9,10 @@ Subject: pic crypto/x86cpuid.pl | 10 +++++----- 4 files changed, 55 insertions(+), 12 deletions(-) -diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl -index ef7054e27506..50765d2b1552 100644 ---- a/crypto/des/asm/desboth.pl -+++ b/crypto/des/asm/desboth.pl +Index: openssl-1.1.1f/crypto/des/asm/desboth.pl +=================================================================== +--- openssl-1.1.1f.orig/crypto/des/asm/desboth.pl ++++ openssl-1.1.1f/crypto/des/asm/desboth.pl @@ -23,6 +23,11 @@ sub DES_encrypt3 &push("edi"); @@ -50,10 +50,10 @@ index ef7054e27506..50765d2b1552 100644 &stack_pop(3); &mov($L,&DWP(0,"ebx","",0)); -diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl -index 01bafe457d68..c093be5a4fd6 100644 ---- a/crypto/perlasm/cbc.pl -+++ b/crypto/perlasm/cbc.pl +Index: openssl-1.1.1f/crypto/perlasm/cbc.pl +=================================================================== +--- openssl-1.1.1f.orig/crypto/perlasm/cbc.pl ++++ openssl-1.1.1f/crypto/perlasm/cbc.pl @@ -129,7 +129,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call &mov(&DWP($data_off+4,"esp","",0), "ebx"); # @@ -67,7 +67,7 @@ index 01bafe457d68..c093be5a4fd6 100644 &mov("eax", &DWP($data_off,"esp","",0)); &mov("ebx", &DWP($data_off+4,"esp","",0)); -@@ -192,7 +196,11 @@ sub cbc +@@ -199,7 +203,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call &mov(&DWP($data_off+4,"esp","",0), "ebx"); # @@ -80,7 +80,7 @@ index 01bafe457d68..c093be5a4fd6 100644 &mov("eax", &DWP($data_off,"esp","",0)); &mov("ebx", &DWP($data_off+4,"esp","",0)); -@@ -225,7 +233,11 @@ sub cbc +@@ -232,7 +240,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put back &mov(&DWP($data_off+4,"esp","",0), "ebx"); # @@ -93,7 +93,7 @@ index 01bafe457d68..c093be5a4fd6 100644 &mov("eax", &DWP($data_off,"esp","",0)); # get return &mov("ebx", &DWP($data_off+4,"esp","",0)); # -@@ -268,7 +280,11 @@ sub cbc +@@ -275,7 +287,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put back &mov(&DWP($data_off+4,"esp","",0), "ebx"); # @@ -106,19 +106,19 @@ index 01bafe457d68..c093be5a4fd6 100644 &mov("eax", &DWP($data_off,"esp","",0)); # get return &mov("ebx", &DWP($data_off+4,"esp","",0)); # -diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl -index 5c7ea3880e4d..7e49b55e97c7 100644 ---- a/crypto/perlasm/x86gas.pl -+++ b/crypto/perlasm/x86gas.pl -@@ -170,6 +170,7 @@ sub ::file_end +Index: openssl-1.1.1f/crypto/perlasm/x86gas.pl +=================================================================== +--- openssl-1.1.1f.orig/crypto/perlasm/x86gas.pl ++++ openssl-1.1.1f/crypto/perlasm/x86gas.pl +@@ -171,6 +171,7 @@ sub ::file_end if ($::macosx) { push (@out,"$tmp,2\n"); } elsif ($::elf) { push (@out,"$tmp,4\n"); } else { push (@out,"$tmp\n"); } + if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); } } push(@out,$initseg) if ($initseg); - } -@@ -228,8 +229,23 @@ ___ + if ($::elf) { +@@ -249,8 +250,23 @@ ___ elsif ($::elf) { $initseg.=<<___; .section .init @@ -142,10 +142,10 @@ index 5c7ea3880e4d..7e49b55e97c7 100644 } elsif ($::coff) { $initseg.=<<___; # applies to both Cygwin and Mingw -diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl -index ba4fd80fb32e..18c124707587 100644 ---- a/crypto/x86cpuid.pl -+++ b/crypto/x86cpuid.pl +Index: openssl-1.1.1f/crypto/x86cpuid.pl +=================================================================== +--- openssl-1.1.1f.orig/crypto/x86cpuid.pl ++++ openssl-1.1.1f/crypto/x86cpuid.pl @@ -18,6 +18,8 @@ open OUT,">$output"; for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } @@ -155,7 +155,7 @@ index ba4fd80fb32e..18c124707587 100644 &function_begin("OPENSSL_ia32_cpuid"); &xor ("edx","edx"); &pushf (); -@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } +@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 &set_label("nocpuid"); &function_end("OPENSSL_ia32_cpuid"); @@ -166,7 +166,7 @@ index ba4fd80fb32e..18c124707587 100644 &xor ("eax","eax"); &xor ("edx","edx"); &picmeup("ecx","OPENSSL_ia32cap_P"); -@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } +@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host], # but it's safe to call it on any [supported] 32-bit platform... # Just check for [non-]zero return value... @@ -175,7 +175,7 @@ index ba4fd80fb32e..18c124707587 100644 &picmeup("ecx","OPENSSL_ia32cap_P"); &bt (&DWP(0,"ecx"),4); &jnc (&label("nohalt")); # no TSC -@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } +@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 &ret (); &function_end_B("OPENSSL_far_spin");
  7. Download patch debian/patches/0016-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch

    --- 1.1.1f-1/debian/patches/0016-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0016-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,74 @@ +From 7fdfe28c43ebd49636f51b636dbd956d06e5295a Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Wed, 26 Jun 2019 23:41:35 +0200 +Subject: [PATCH 16/25] s390x assembly pack: update OPENSSL_s390xcap(3) + +Add description of capability vector's pcc and kma parts. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Shane Lontis <shane.lontis@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/9258) + +(cherry picked from commit da93b5cc2bc931b998f33ee432bc1ae2b38fccca) +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + doc/man3/OPENSSL_s390xcap.pod | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +index 20a6833d96..80528a597f 100644 +--- a/doc/man3/OPENSSL_s390xcap.pod ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -34,14 +34,14 @@ There are three types of tokens: + The name of a processor generation. A bit in the environment variable's + mask is set to one if and only if the specified processor generation + implements the corresponding instruction set extension. Possible values +-are z900, z990, z9, z10, z196, zEC12, z13 and z14. ++are z900, z990, z9, z10, z196, zEC12, z13, z14 and z15. + + =item <string>:<mask>:<mask> + + The name of an instruction followed by two 64-bit masks. The part of the + environment variable's mask corresponding to the specified instruction is + set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc, +-kmac, kmctr, kmo, kmf, prno and kma. ++kmac, kmctr, kmo, kmf, prno, kma, pcc and kdsa. + + =item stfle:<mask>:<mask>:<mask> + +@@ -139,6 +139,21 @@ the numbering is continuous across 64-bit mask boundaries. + # 20 1<<43 KMA-GCM-AES-256 + : + ++ pcc : ++ : ++ # 64 1<<63 PCC-Scalar-Multiply-P256 ++ # 65 1<<62 PCC-Scalar-Multiply-P384 ++ # 66 1<<61 PCC-Scalar-Multiply-P521 ++ ++ kdsa : ++ # 1 1<<62 KDSA-ECDSA-Verify-P256 ++ # 2 1<<61 KDSA-ECDSA-Verify-P384 ++ # 3 1<<60 KDSA-ECDSA-Verify-P521 ++ # 9 1<<54 KDSA-ECDSA-Sign-P256 ++ # 10 1<<53 KDSA-ECDSA-Sign-P384 ++ # 11 1<<52 KDSA-ECDSA-Sign-P521 ++ : ++ + =head1 RETURN VALUES + + Not available. +@@ -159,7 +174,7 @@ Disables the KM-XTS-AES and and the KIMD-SHAKE function codes: + + =head1 SEE ALSO + +-[1] z/Architecture Principles of Operation, SA22-7832-11 ++[1] z/Architecture Principles of Operation, SA22-7832-12 + + =head1 COPYRIGHT + +-- +2.25.1 +
  8. Download patch debian/po/ro.po

    --- 1.1.1f-1/debian/po/ro.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ro.po 2020-04-01 15:57:22.000000000 +0000 @@ -94,3 +94,22 @@ msgid "" msgstr "" "Va trebui să le porniți manual cu o comandă de tipul „/etc/init.d/<serviciu> " "start'." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  9. Download patch debian/patches/0012-s390x-assembly-pack-remove-poly1305-dependency-on-no.patch

    --- 1.1.1f-1/debian/patches/0012-s390x-assembly-pack-remove-poly1305-dependency-on-no.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0012-s390x-assembly-pack-remove-poly1305-dependency-on-no.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,33 @@ +From 7ecac2c4326ab42e85ffd98e7ce137c11fb54121 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Mon, 25 Mar 2019 18:23:59 +0100 +Subject: [PATCH 12/25] s390x assembly pack: remove poly1305 dependency on + non-base memnonics + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Paul Dale <paul.dale@oracle.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8181) + +(cherry picked from commit 5ee08f45bcabc3cef0d7d7b2aa6ecad12ca4197b) +--- + crypto/poly1305/asm/poly1305-s390x.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/poly1305/asm/poly1305-s390x.pl b/crypto/poly1305/asm/poly1305-s390x.pl +index 5ee527a47b..4f4ed47665 100755 +--- a/crypto/poly1305/asm/poly1305-s390x.pl ++++ b/crypto/poly1305/asm/poly1305-s390x.pl +@@ -45,7 +45,7 @@ + use strict; + use FindBin qw($Bin); + use lib "$Bin/../.."; +-use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE); ++use perlasm::s390x qw(:DEFAULT :LD :GE :EI :MI1 :VX AUTOLOAD LABEL INCLUDE); + + my $flavour = shift; + +-- +2.25.1 +
  10. Download patch debian/po/pt.po

    --- 1.1.1f-1/debian/po/pt.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/pt.po 2020-04-01 15:57:22.000000000 +0000 @@ -87,3 +87,29 @@ msgid "" "start'." msgstr "" "Terá que iniciá-los manualmente correndo '/etc/init.d/<serviço> start'." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Reiniciar serviços sem perguntar durante a actualização do pacote?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Há serviços instalados no seu sistema que necessitam de ser reiniciados " +"quando são actualizadas certas bibliotecas, como libpam, libc e libssl. Uma " +"vez que estes reinícios podem causar interrupção de serviços no sistema, é-" +"lhe normalmente perguntado em cada actualização que serviços deseja " +"reiniciar. Pode escolher esta opção para que os reinícios necessários sejam " +"automaticamente tratados pelo processo de actualização em vez de lhe serem " +"colocadas questões."
  11. Download patch debian/patches/0005-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
  12. Download patch debian/po/eu.po

    --- 1.1.1f-1/debian/po/eu.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/eu.po 2020-04-01 15:57:22.000000000 +0000 @@ -91,5 +91,24 @@ msgid "" msgstr "" "Eskuz berrabiarazi beharko dituzu '/etc/ init.d/<zerbitzua> start' eginez." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" + #~ msgid "${services}" #~ msgstr "${services}"
  13. Download patch debian/rules

    --- 1.1.1f-1/debian/rules 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/rules 2020-04-01 15:57:10.000000000 +0000 @@ -12,6 +12,7 @@ include /usr/share/dpkg/architecture.mk include /usr/share/dpkg/pkg-info.mk export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND = -DOPENSSL_TLS_SECURITY_LEVEL=2 SHELL=/bin/bash @@ -139,6 +140,15 @@ override_dh_fixperms: fi dh_fixperms -a -X etc/ssl/private +override_dh_compress: + dh_compress + # symlink doc files + for p in openssl libssl-dev; do \ + for f in changelog.Debian.gz changelog.gz copyright; do \ + ln -sf ../libssl1.1/$$f debian/$$p/usr/share/doc/$$p/$$f; \ + done; \ + done + override_dh_perl: dh_perl -d
  14. Download patch debian/po/sk.po

    --- 1.1.1f-1/debian/po/sk.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/sk.po 2020-04-01 15:57:22.000000000 +0000 @@ -84,3 +84,30 @@ msgid "" "start'." msgstr "" "Budete ich musieť reštartovať ručne spustením „/etc/init.d/<service> start“." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Reštartovať služby počas aktualizácie balíka bez pýtania sa?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Na vašom systéme sú nainštalované služby, ktoré je potrebné reštartovať pri " +"aktualizácii určitých knižníc ako libpam, libc, a libssl. Keďže tieto " +"reštarty môžu spôsobiť prerušenie služby systému, za bežných okolností sa " +"vám systém správy balíkov pri každej aktualizácii ponúkne zoznam služieb, " +"ktoré chcete reštartovať. Môžete zvoliť, aby sa vás systém správy balíkov už " +"viac nepýtal, ale aby sa namiesto toho všetky potrebné reštarty vykonávali " +"automaticky, takže sa vyhnete kladeniu otázok pri každej aktualizácii " +"knižnice."
  15. Download patch debian/patches/0007-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
  16. Download patch debian/po/uk.po

    --- 1.1.1f-1/debian/po/uk.po 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/uk.po 2019-06-20 16:58:44.000000000 +0000 @@ -0,0 +1,105 @@ +# translation of uk.po to Ukrainian +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# +# Eugeniy Meshcheryakov <eugen@univ.kiev.ua>, 2004, 2006. +msgid "" +msgstr "" +"Project-Id-Version: uk\n" +"Report-Msgid-Bugs-To: openssl@packages.debian.org\n" +"POT-Creation-Date: 2019-06-20 17:58+0100\n" +"PO-Revision-Date: 2006-02-21 10:12+0200\n" +"Last-Translator: Eugeniy Meshcheryakov <eugen@univ.kiev.ua>\n" +"Language-Team: Ukrainian\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.2\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "Services to restart to make them use the new libraries:" +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"This release of OpenSSL fixes some security issues. Services will not use " +"these fixes until they are restarted. Please note that restarting the SSH " +"server (sshd) should not affect any existing connections." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Please check the list of detected services that need to be restarted and " +"correct it, if needed. The services names must be identical to the " +"initialization script names in /etc/init.d and separated by spaces. No " +"services will be restarted if the list is empty." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Any service that later fails unexpectedly after this upgrade should be " +"restarted. It is recommended to reboot this host to avoid any SSL-related " +"trouble." +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "Failure restarting some services for OpenSSL upgrade" +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (non translatable) paragraph containing +#. a list of services that could not be restarted +#: ../libssl1.1.templates:2001 +msgid "" +"The following services could not be restarted for the OpenSSL library " +"upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  17. Download patch debian/po/nb.po

    --- 1.1.1f-1/debian/po/nb.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/nb.po 2020-04-01 15:57:22.000000000 +0000 @@ -47,8 +47,8 @@ msgid "" "initialization script names in /etc/init.d and separated by spaces. No " "services will be restarted if the list is empty." msgstr "" -"Kontroller lista over funne tjenester som trenger omstart. Rett på lista " -"om den er feil. Tjenestenavnene må være lik skript-navnene i /etc/init.d, og " +"Kontroller lista over funne tjenester som trenger omstart. Rett på lista om " +"den er feil. Tjenestenavnene må være lik skript-navnene i /etc/init.d, og " "være atskilt med mellomrom. Hvis du tømmer lista blir ingen tjenester " "omstartet." @@ -62,8 +62,7 @@ msgid "" msgstr "" "Hvis andre tjenester begynner å svikte på mystisk måte etter denne " "oppgraderingen, så blir det anbefalt at maskinen stoppes og startes for å " -"unngå vansker i " -"forbindelse med SSL." +"unngå vansker i forbindelse med SSL." #. Type: error #. Description @@ -80,8 +79,8 @@ msgid "" "The following services could not be restarted for the OpenSSL library " "upgrade:" msgstr "" -"Følgende tjenester kunne ikke restartes for oppgradering av " -"OpenSSL-biblioteket:" +"Følgende tjenester kunne ikke restartes for oppgradering av OpenSSL-" +"biblioteket:" #. Type: error #. Description @@ -91,3 +90,28 @@ msgid "" "start'." msgstr "Du må starte disse manuelt ved å kjøre «/etc/init.d/<service> start»." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Skal tjenester restartes uten spørsmål under pakkeoppgraderinger?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"På systemet ditt finnes det tjenester som må startes på nytt når visse " +"biblioteker, slik som libpam, libc og libssl, oppgraderes. Slike omstarter " +"kan avbryte tjenester på systemet, og normalt blir du spurt ved hver " +"oppgradering om hvilke tjenester du vil starte på nytt. Du kan slå på dette " +"valget for å slippe å bli spurt, da blir i stedet alle nødvendige omstarter " +"gjort automatisk slik at du ikke får spørsmål ved hver " +"biblioteksoppgradering."
  18. Download patch debian/patches/0021-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch

    --- 1.1.1f-1/debian/patches/0021-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0021-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,32 @@ +From 65734fa53b55dd541095ea6091df43ce96daed66 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Fri, 12 Jul 2019 13:47:32 +0200 +Subject: [PATCH 21/25] OPENSSL_s390xcap.pod: list msa9 facility bit (155) + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Shane Lontis <shane.lontis@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/9348) + +(cherry picked from commit 3ded2288a45d2cc3a27a1b08d29499cbcec52c0e) +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + doc/man3/OPENSSL_s390xcap.pod | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +index 80528a597f..e1c7d7030f 100644 +--- a/doc/man3/OPENSSL_s390xcap.pod ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -72,6 +72,7 @@ the numbering is continuous across 64-bit mask boundaries. + #134 1<<57 vector packed decimal facility + #135 1<<56 vector enhancements facility 1 + #146 1<<45 message-security assist extension 8 ++ #155 1<<36 message-security assist extension 9 + + kimd : + # 1 1<<62 KIMD-SHA-1 +-- +2.25.1 +
  19. Download patch debian/po/nl.po

    --- 1.1.1f-1/debian/po/nl.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/nl.po 2020-04-01 15:57:22.000000000 +0000 @@ -99,5 +99,32 @@ msgstr "" "U zult deze handmatig moeten herstarten via het commando '/etc/init.d/" "<dienst> start'." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Diensten zonder vragen herstarten bij het opwaarderen van pakketten?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Er zijn diensten op uw systeem geïnstalleerd die moeten worden herstart " +"wanneer bepaalde bibliotheken, zoals libpam, libc en libssl, worden " +"opgewaardeerd. Omdat deze herstarts dienstonderbrekingen op uw systeem " +"kunnen veroorzaken, wordt u normaal gesproken bij elke opwaardering gevraagd " +"welke diensten u wilt herstarten. Als u voor deze optie kiest wordt dit niet " +"meer aan u gevraagd. In plaats daarvan worden alle noodzakelijke herstarts " +"automatisch gedaan zodat u geen vragen krijgt bij elke opwaardering van een " +"bibliotheek." + #~ msgid "${services}" #~ msgstr "${services}"
  20. Download patch debian/control

    --- 1.1.1f-1/debian/control 2020-03-31 21:46:50.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/control 2020-04-01 15:57:10.000000000 +0000 @@ -2,7 +2,8 @@ Source: openssl Build-Depends: debhelper-compat (= 12), m4, bc, dpkg-dev (>= 1.15.7) Section: utils Priority: optional -Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> Uploaders: Christoph Martin <christoph.martin@uni-mainz.de>, Kurt Roeckx <kurt@roeckx.be>, Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Standards-Version: 4.5.0 Vcs-Browser: https://salsa.debian.org/debian/openssl
  21. Download patch debian/po/pl.po

    --- 1.1.1f-1/debian/po/pl.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/pl.po 2020-04-01 15:57:22.000000000 +0000 @@ -47,8 +47,8 @@ msgid "" "initialization script names in /etc/init.d and separated by spaces. No " "services will be restarted if the list is empty." msgstr "" -"Proszę sprawdzić listę wykrytych usług, które powinny zostać zrestartowane, i " -"poprawić ją, jeśli to konieczne. Nazwy usług muszą się zgadzać z nazwami " +"Proszę sprawdzić listę wykrytych usług, które powinny zostać zrestartowane, " +"i poprawić ją, jeśli to konieczne. Nazwy usług muszą się zgadzać z nazwami " "skryptów startowych w /etc/init.d i muszą być rozdzielone spacjami. Jeśli " "lista będzie pusta, żadne usługi nie zostaną zrestartowane." @@ -60,9 +60,9 @@ msgid "" "restarted. It is recommended to reboot this host to avoid any SSL-related " "trouble." msgstr "" -"Każda usługa w której wystąpi nieoczekiwany błąd po tej aktualizacji, powinna " -"zostać zrestartowana. Zaleca się ponowne uruchomienie komputera, co umożliwi " -"uniknięcie wszystkich problemów związanych z SSL." +"Każda usługa w której wystąpi nieoczekiwany błąd po tej aktualizacji, " +"powinna zostać zrestartowana. Zaleca się ponowne uruchomienie komputera, co " +"umożliwi uniknięcie wszystkich problemów związanych z SSL." #. Type: error #. Description @@ -90,7 +90,31 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" -"Należy zrestartować te usługi ręcznie, przez wykonanie \"/etc/init.d/<usługa> " -"start\"" +"Należy zrestartować te usługi ręcznie, przez wykonanie \"/etc/init.d/" +"<usługa> start\"" +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Zrestartować usługi podczas aktualizacji pakietu bez pytania?" +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Niektóre z zainstalowanych usług wymagają restartu, gdy są aktualizowane " +"określone biblioteki (np. libpam, libc i libss1). Ponieważ restarty mogą " +"spowodować przerwanie tych usług, użytkownik jest zwykle pytany podczas " +"każdej aktualizacji o listę usług, które chce zrestartować. Można wybrać tę " +"opcję, aby zapobiec takim pytaniom; wtedy wszystkie potrzebne restarty " +"odbędą się automatycznie, a użytkownik uniknie pytania przy każdej " +"aktualizacji biblioteki."
  22. Download patch debian/po/ar.po

    --- 1.1.1f-1/debian/po/ar.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ar.po 2020-04-01 15:57:22.000000000 +0000 @@ -87,3 +87,22 @@ msgid "" msgstr "" "يجب أن تقوم بتشغيل هذه الخدمات يدوياً بتفيذ الأمر '/etc/init.d/<service> " "start'." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  23. Download patch debian/libssl1.1.templates

    --- 1.1.1f-1/debian/libssl1.1.templates 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/libssl1.1.templates 2020-04-01 15:57:10.000000000 +0000 @@ -28,3 +28,15 @@ _Description: Failure restarting some se You will need to start these manually by running '/etc/init.d/<service> start'. +Template: libraries/restart-without-asking +Type: boolean +Default: false +_Description: Restart services during package upgrades without asking? + There are services installed on your system which need to be restarted + when certain libraries, such as libpam, libc, and libssl, are upgraded. + Since these restarts may cause interruptions of service for the system, + you will normally be prompted on each upgrade for the list of services + you wish to restart. You can choose this option to avoid being prompted; + instead, all necessary restarts will be done for you automatically so you + can avoid being asked questions on each library upgrade. +
  24. Download patch debian/patches/tests-use-seclevel-1.patch
  25. Download patch debian/patches/0015-Place-return-values-after-examples-in-doc.patch

    --- 1.1.1f-1/debian/patches/0015-Place-return-values-after-examples-in-doc.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0015-Place-return-values-after-examples-in-doc.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,43 @@ +From da8ef7c092f28d8c78ba03f809546c71101704a8 Mon Sep 17 00:00:00 2001 +From: Paul Yang <yang.yang@baishancloud.com> +Date: Tue, 26 Feb 2019 13:11:10 +0800 +Subject: [PATCH 15/25] Place return values after examples in doc + +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8338) + +(cherry picked from commit 4564e77ae9dd1866e8a033f03511b6a1792c024e) +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + doc/man3/OPENSSL_s390xcap.pod | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +index 550136a82b..20a6833d96 100644 +--- a/doc/man3/OPENSSL_s390xcap.pod ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -139,6 +139,10 @@ the numbering is continuous across 64-bit mask boundaries. + # 20 1<<43 KMA-GCM-AES-256 + : + ++=head1 RETURN VALUES ++ ++Not available. ++ + =head1 EXAMPLES + + Disables all instruction set extensions which the z196 processor does not implement: +@@ -153,10 +157,6 @@ Disables the KM-XTS-AES and and the KIMD-SHAKE function codes: + + OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0" + +-=head1 RETURN VALUES +- +-Not available. +- + =head1 SEE ALSO + + [1] z/Architecture Principles of Operation, SA22-7832-11 +-- +2.25.1 +
  26. Download patch debian/po/zh_CN.po

    --- 1.1.1f-1/debian/po/zh_CN.po 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/zh_CN.po 2019-06-20 16:58:44.000000000 +0000 @@ -0,0 +1,106 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +# Hiei Xu <nicky@mail.edu.cn>, 2004. +# Carlos Z.F. Liu <carlos_liu@yahoo.com>, 2004. +# LI Daobing <lidaobing@gmail.com>, 2007, 2008. +# +# +msgid "" +msgstr "" +"Project-Id-Version: glibc 2.7-9\n" +"Report-Msgid-Bugs-To: openssl@packages.debian.org\n" +"POT-Creation-Date: 2019-06-20 17:58+0100\n" +"PO-Revision-Date: 2008-02-28 23:44+0800\n" +"Last-Translator: LI Daobing <lidaobing@gmail.com>\n" +"Language-Team: Chinese (Simplified) <debian-chinese-gb@lists.debian.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "Services to restart to make them use the new libraries:" +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"This release of OpenSSL fixes some security issues. Services will not use " +"these fixes until they are restarted. Please note that restarting the SSH " +"server (sshd) should not affect any existing connections." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Please check the list of detected services that need to be restarted and " +"correct it, if needed. The services names must be identical to the " +"initialization script names in /etc/init.d and separated by spaces. No " +"services will be restarted if the list is empty." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Any service that later fails unexpectedly after this upgrade should be " +"restarted. It is recommended to reboot this host to avoid any SSL-related " +"trouble." +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "Failure restarting some services for OpenSSL upgrade" +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (non translatable) paragraph containing +#. a list of services that could not be restarted +#: ../libssl1.1.templates:2001 +msgid "" +"The following services could not be restarted for the OpenSSL library " +"upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  27. Download patch debian/po/fi.po

    --- 1.1.1f-1/debian/po/fi.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/fi.po 2020-04-01 15:57:22.000000000 +0000 @@ -89,5 +89,33 @@ msgid "" msgstr "" "Nämä tarvitsee käynnistää käsin ajamalla ”/etc/init.d/<palvelu> start”." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Käynnistetäänkö palvelut kysymättä uudelleen pakettien päivityksen " +"yhteydessä?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Järjestelmässäsi on asennettuna palveluita, jotka tulee käynnistää uudelleen " +"päivitettäessä tiettyjä ohjelmakirjastoja, kuten libpam, libc ja libssl. " +"Koska palveluiden uudelleenkäynnistys saattaa aiheuttaa katkoja palveluihin, " +"kunkin päivityksen yhteydessä yleensä kysytään luetteloa käynnistettävistä " +"palveluista. Voit valita tämän vaihtoehdon, jos et halua nähdä kysymystä " +"jokaisen kirjastopäivityksen yhteydessä. Tällöin tarvittavat palvelut " +"käynnistetään uudelleen automaattisesti." + #~ msgid "${services}" #~ msgstr "${services}"
  28. Download patch debian/patches/0003-s390x-assembly-pack-perlasm-support.patch
  29. Download patch debian/patches/0014-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
  30. Download patch debian/patches/0011-s390x-assembly-pack-remove-chacha20-dependency-on-no.patch

    --- 1.1.1f-1/debian/patches/0011-s390x-assembly-pack-remove-chacha20-dependency-on-no.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0011-s390x-assembly-pack-remove-chacha20-dependency-on-no.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,33 @@ +From 292cd2879dc6dcd1923e606a0ebc719425f643b9 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Mon, 25 Mar 2019 18:22:02 +0100 +Subject: [PATCH 11/25] s390x assembly pack: remove chacha20 dependency on + non-base memnonics + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Paul Dale <paul.dale@oracle.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8181) + +(cherry picked from commit 302aa3c26d9e716ed4a3fba453faafa7acadf22c) +--- + crypto/chacha/asm/chacha-s390x.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl +index 040ce391c0..16a90c6ae6 100755 +--- a/crypto/chacha/asm/chacha-s390x.pl ++++ b/crypto/chacha/asm/chacha-s390x.pl +@@ -40,7 +40,7 @@ + use strict; + use FindBin qw($Bin); + use lib "$Bin/../.."; +-use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE); ++use perlasm::s390x qw(:DEFAULT :VX :LD AUTOLOAD LABEL INCLUDE); + + my $flavour = shift; + +-- +2.25.1 +
  31. Download patch debian/po/zh_TW.po

    --- 1.1.1f-1/debian/po/zh_TW.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/zh_TW.po 2020-04-01 15:57:22.000000000 +0000 @@ -77,3 +77,22 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  32. Download patch debian/patches/0d011f540400b425aba1c3e59624ad9dbabe83cb.patch

    --- 1.1.1f-1/debian/patches/0d011f540400b425aba1c3e59624ad9dbabe83cb.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0d011f540400b425aba1c3e59624ad9dbabe83cb.patch 2020-09-15 17:04:36.000000000 +0000 @@ -0,0 +1,41 @@ +From 0d011f540400b425aba1c3e59624ad9dbabe83cb Mon Sep 17 00:00:00 2001 +From: Pauli <paul.dale@oracle.com> +Date: Wed, 8 Apr 2020 12:33:47 +1000 +Subject: [PATCH] Fix AES-CTR_DRBG on 1.1.1. + +The backport of the timing information leak fix uses u32 which is defined +in crypto/modes/modes_local.h in 1.1.1 and include/crypto/modes.h for 3.0. + +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/11489) +--- + crypto/rand/build.info | 2 ++ + crypto/rand/drbg_ctr.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/rand/build.info b/crypto/rand/build.info +index df9bac67f04c..a4e7900bdbff 100644 +--- a/crypto/rand/build.info ++++ b/crypto/rand/build.info +@@ -2,3 +2,5 @@ LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_egd.c \ + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ ++INCLUDE[drbg_ctr.o]=../modes +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index f41484e9d548..af201971dd1b 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -12,9 +12,10 @@ + #include <openssl/crypto.h> + #include <openssl/err.h> + #include <openssl/rand.h> +-#include "internal/thread_once.h" ++#include "modes_local.h" + #include "internal/thread_once.h" + #include "rand_local.h" ++ + /* + * Implementation of NIST SP 800-90A CTR DRBG. + */
  33. Download patch debian/patches/0025-Add-self-generated-test-vector-for-x448-non-canonica.patch

    --- 1.1.1f-1/debian/patches/0025-Add-self-generated-test-vector-for-x448-non-canonica.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0025-Add-self-generated-test-vector-for-x448-non-canonica.patch 2020-04-03 17:29:25.000000000 +0000 @@ -0,0 +1,49 @@ +From f30d6611bcc324807cd4534d8bca9f841a1f8902 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Sun, 3 Nov 2019 00:01:20 +0100 +Subject: [PATCH 25/25] Add self-generated test vector for x448 non-canonical + values + +x25519 has such a test vector obtained from wycheproof but wycheproof +does not have a corresponding x448 test vector. +So add a self-generated test vector for that case. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/10339) + +(cherry picked from commit fd60f8da74c68ba56f828bcc59141856503ffa0a) +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + test/recipes/30-test_evp_data/evppkey.txt | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt +index 736e0ce4d3..a049f19694 100644 +--- a/test/recipes/30-test_evp_data/evppkey.txt ++++ b/test/recipes/30-test_evp_data/evppkey.txt +@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107b + + PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw + ++PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ++ + Derive=Alice-448 + PeerKey=Bob-448-PUBLIC + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d +@@ -830,6 +832,11 @@ Derive=Bob-448-Raw + PeerKey=Alice-448-PUBLIC-Raw + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d + ++# Self-generated non-canonical ++Derive=Alice-448-Raw ++PeerKey=Bob-448-PUBLIC-Raw-NonCanonical ++SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb ++ + # Illegal sign/verify operations with X448 key + + Sign=Alice-448 +-- +2.25.1 +
  34. Download patch debian/libssl1.1.postinst

    --- 1.1.1f-1/debian/libssl1.1.postinst 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/libssl1.1.postinst 2020-09-15 17:02:59.000000000 +0000 @@ -56,8 +56,10 @@ filerc() { if [ "$1" = "configure" ] then - if [ ! -z "$2" ]; then - if dpkg --compare-versions "$2" lt 1.0.1g-2; then + if [ ! -z "$2" ] && [ ! -x /usr/lib/needrestart/apt-pinvoke ] ; then + # This triggers services restarting, so limit this to major upgrades + # only. Security updates should not restart services automatically. + if dpkg --compare-versions "$2" lt 1.1.1-1ubuntu2.1~18.04.2; then echo -n "Checking for services that may need to be restarted..." check="amanda-server anon-proxy apache2 apache-ssl" check="$check apf-firewall asterisk bacula-director-common" @@ -102,7 +104,7 @@ then ") echo "done." fi - if dpkg --compare-versions "$2" lt 1.0.1g-3; then + if dpkg --compare-versions "$2" lt 1.1.1-1ubuntu2.1~18.04.2; then echo -n "Checking for services that may need to be restarted..." check2="chef chef-expander chef-server-api" check2="$check2 chef-solr pound postgresql-common" @@ -152,7 +154,11 @@ then if [ "x$RET" != xtrue ]; then db_reset libssl1.1/restart-services db_set libssl1.1/restart-services "$services" - db_input critical libssl1.1/restart-services || true + if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then + db_input medium libssl1.1/restart-services || true + else + db_input critical libssl1.1/restart-services || true + fi db_go || true db_get libssl1.1/restart-services @@ -200,7 +206,20 @@ then # Shut down the frontend, to make sure none of the # restarted services keep a connection open to it db_stop + fi # end upgrading and $2 lt 0.9.8c-2 + + # Here we issue the reboot notification for upgrades and + # security updates. We do want services to be restarted when we + # update for a security issue, but planned by the sysadmin, not + # automatically. + + # Only issue the reboot notification for servers; we proxy this by + # testing that the X server is not running (LP: #244250) + if ! pidof /usr/lib/xorg/Xorg > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then + /usr/share/update-notifier/notify-reboot-required + fi + fi # Upgrading fi
  35. Download patch debian/patches/0013-fix-strict-warnings-build.patch
  36. Download patch debian/patches/0004-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
  37. Download patch debian/po/templates.pot

    --- 1.1.1f-1/debian/po/templates.pot 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/templates.pot 2020-04-01 15:57:11.000000000 +0000 @@ -74,3 +74,22 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  38. Download patch debian/po/vi.po

    --- 1.1.1f-1/debian/po/vi.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/vi.po 2020-04-01 15:57:22.000000000 +0000 @@ -86,3 +86,22 @@ msgid "" msgstr "" "Vì thế bạn cần phải khởi chạy bằng tay, bằng cách chạy câu lệnh « /etc/init." "d/<tên_dịch_vụ> start »." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  39. Download patch debian/patches/0020-s390x-assembly-pack-accelerate-ECDSA.patch
  40. Download patch debian/patches/0023-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch

    --- 1.1.1f-1/debian/patches/0023-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0023-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,48 @@ +From aba5efd988fca1ae58c64c6cbc93cbd99144487f Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Tue, 24 Sep 2019 23:20:00 +0200 +Subject: [PATCH 23/25] s390x assembly pack: fix OPENSSL_s390xcap z15 cpu mask + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/10004) + +(cherry picked from commit ac037dc874a721ca81a33b4314e26cef4a7e8d48) +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + crypto/s390xcap.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c +index 00834e4f98..1f9851efc1 100644 +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -547,7 +547,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + S390X_CAPBIT(S390X_VX) + | S390X_CAPBIT(S390X_VXD) + | S390X_CAPBIT(S390X_VXE) +- | S390X_CAPBIT(S390X_MSA8), ++ | S390X_CAPBIT(S390X_MSA8) ++ | S390X_CAPBIT(S390X_MSA9), + 0ULL}, + /*.kimd = */{S390X_CAPBIT(S390X_QUERY) + | S390X_CAPBIT(S390X_SHA_1) +@@ -611,11 +612,10 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + | S390X_CAPBIT(S390X_AES_192) + | S390X_CAPBIT(S390X_AES_256), + 0ULL}, +- /*.pcc = */{S390X_CAPBIT(S390X_QUERY) +- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) ++ /*.pcc = */{S390X_CAPBIT(S390X_QUERY), ++ S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384) +- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521), +- 0ULL}, ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)}, + /*.kdsa = */{S390X_CAPBIT(S390X_QUERY) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384) +-- +2.25.1 +
  41. Download patch debian/po/da.po

    --- 1.1.1f-1/debian/po/da.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/da.po 2020-04-01 15:57:22.000000000 +0000 @@ -91,3 +91,29 @@ msgid "" "start'." msgstr "" "Du skal genstarte disse manuelt ved at køre '/etc/init.d/<tjeneste> start'." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Genstart tjenester under pakkeopgraderinger uden at spørge?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Der er tjenester installeret på dit system, som kræver at blive genstartet " +"når bestemte biblioteker, såsom libpam, libc og libssl, opgraderes. Da disse " +"genstarter kan medføre forstyrrelse af systemets tjenester, vil du normalt " +"blive spurgt ved hver opgradering om listen over tjenester, du ønsker at " +"genstarte. Du kan vælge denne indstilling for at undgå at blive spurgt; i " +"stedet for vil alle nødvendige genstarter blive udført automatisk, så du kan " +"undgå spørgsmål ved hver biblioteksopgradering."
  42. Download patch debian/patches/11767.patch

    --- 1.1.1f-1/debian/patches/11767.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/11767.patch 2020-09-15 16:38:51.000000000 +0000 @@ -0,0 +1,32 @@ +From 2d84c9c983729c2a2ae0a24789a3787f2559e143 Mon Sep 17 00:00:00 2001 +From: Maxim Zakharov <5158255+Maxime2@users.noreply.github.com> +Date: Fri, 8 May 2020 14:58:10 +1000 +Subject: [PATCH] TTY_get() in crypto/ui/ui_openssl.c open_console() can also + return errno 1 (EPERM, Linux) + +Signed-off-by: Maxim Zakharov <5158255+Maxime2@users.noreply.github.com> +--- + crypto/ui/ui_openssl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c +index 168de4630dcc..6830bd25c2d7 100644 +--- a/crypto/ui/ui_openssl.c ++++ b/crypto/ui/ui_openssl.c +@@ -439,6 +439,16 @@ static int open_console(UI *ui) + is_a_tty = 0; + else + # endif ++# ifdef EPERM ++ /* ++ * Linux can return EPERM (Operation not permitted), ++ * e.g. if a daemon executes openssl via fork()+execve() ++ * This should be ok ++ */ ++ if (errno == EPERM) ++ is_a_tty = 0; ++ else ++# endif + # ifdef ENODEV + /* + * MacOS X returns ENODEV (Operation not supported by device),
  43. Download patch debian/po/ko.po

    --- 1.1.1f-1/debian/po/ko.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ko.po 2020-04-01 15:57:22.000000000 +0000 @@ -83,3 +83,22 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  44. Download patch debian/po/ja.po

    --- 1.1.1f-1/debian/po/ja.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ja.po 2020-04-01 15:57:22.000000000 +0000 @@ -80,3 +80,30 @@ msgid "" "start'." msgstr "" "開始するには '/etc/init.d/<service> start' を手動で実行する必要があります。" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"パッケージのアップグレード中、質問することなくサービスを再起動しますか?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"このシステムには、libpam や libc、libssl といった特定のライブラリがアップグ" +"レードされたときに再起動を必要とするサービスがインストールされています。この" +"再起動はそのシステムで動作しているサービスの中断を伴う可能性があるため、通常" +"は再起動させるサービス一覧をアップグレードの度に質問します。このオプションを" +"選択するとその質問を避けられます。代わりに、再起動が必要な場合は全て自動で再" +"起動させるため、ライブラリをアップグレードする度に質問されるのを避けられま" +"す。"
  45. Download patch debian/po/it.po

    --- 1.1.1f-1/debian/po/it.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/it.po 2020-04-01 15:57:22.000000000 +0000 @@ -88,3 +88,30 @@ msgid "" "start'." msgstr "" "È necessario avviarli manualmente con \"/etc/init.d/<servizio> start\"." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Riavviare i servizi durante l'aggiornamento senza chiedere conferma?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Sul proprio sistema sono installati dei servizi che devono essere riavviati " +"dopo l'aggiornamento di determinate librerie, quali libpam, libc e libssl. " +"Poiché questi riavvii possono causare delle interruzioni dei servizi offerti " +"dal sistema normalmente, a ogni aggiornamento, viene mostrato l'elenco dei " +"servizi e viene chiesto di confermarne il riavvio. È possibile evitare che " +"sia chiesta la conferma del riavvio accettando questa opzione; saranno " +"effettuati automaticamente tutti i riavvii necessari senza fare domande per " +"ogni aggiornamento della libreria."
  46. Download patch debian/patches/0009-s390x-assembly-pack-allow-alignment-hints-for-vector.patch

    --- 1.1.1f-1/debian/patches/0009-s390x-assembly-pack-allow-alignment-hints-for-vector.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0009-s390x-assembly-pack-allow-alignment-hints-for-vector.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,64 @@ +From a8ad22a341dc1ac377453d59e5f6db49b9bf2a0b Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Thu, 7 Feb 2019 16:44:05 +0100 +Subject: [PATCH 09/25] s390x assembly pack: allow alignment hints for vector + load/store + +z14 introduced alignment hints to help vector load/store +performance. For its predecessors, alignment hint defaults +to 0 (no alignment indicated). + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Paul Dale <paul.dale@oracle.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8181) + +(cherry picked from commit 11aad862850cb2e639756e7126216b6cf38af26b) +--- + crypto/perlasm/s390x.pm | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/perlasm/s390x.pm b/crypto/perlasm/s390x.pm +index 5f3a49dd0c..c00218a0cc 100644 +--- a/crypto/perlasm/s390x.pm ++++ b/crypto/perlasm/s390x.pm +@@ -250,7 +250,7 @@ sub vgmg { + } + + sub vl { +- confess(err("ARGNUM")) if ($#_!=1); ++ confess(err("ARGNUM")) if ($#_<1||$#_>2); + VRX(0xe706,@_); + } + +@@ -345,7 +345,7 @@ sub vllezg { + } + + sub vlm { +- confess(err("ARGNUM")) if ($#_!=2); ++ confess(err("ARGNUM")) if ($#_<2||$#_>3); + VRSa(0xe736,@_); + } + +@@ -548,7 +548,7 @@ sub vsegf { + } + + sub vst { +- confess(err("ARGNUM")) if ($#_!=1); ++ confess(err("ARGNUM")) if ($#_<1||$#_>2); + VRX(0xe70e,@_); + } + +@@ -570,7 +570,7 @@ sub vsteg { + } + + sub vstm { +- confess(err("ARGNUM")) if ($#_!=2); ++ confess(err("ARGNUM")) if ($#_<2||$#_>3); + VRSa(0xe73e,@_); + } + +-- +2.25.1 +
  47. Download patch debian/patches/series

    --- 1.1.1f-1/debian/patches/series 2020-03-31 21:49:47.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/series 2020-09-15 17:04:36.000000000 +0000 @@ -1,6 +1,50 @@ +# x86_64 cet hwe +pr12272.patch +# s390x hwe +0001-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch +0002-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch +0003-s390x-assembly-pack-perlasm-support.patch +0004-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch +0005-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch +0006-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch +0007-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch +0008-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch +0009-s390x-assembly-pack-allow-alignment-hints-for-vector.patch +0010-s390x-assembly-pack-update-perlasm-module.patch +0011-s390x-assembly-pack-remove-chacha20-dependency-on-no.patch +0012-s390x-assembly-pack-remove-poly1305-dependency-on-no.patch +0013-fix-strict-warnings-build.patch +0014-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch +0015-Place-return-values-after-examples-in-doc.patch +0016-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch +0017-s390xcpuid.pl-fix-comment.patch +0018-s390x-assembly-pack-accelerate-scalar-multiplication.patch +0019-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch +0020-s390x-assembly-pack-accelerate-ECDSA.patch +0021-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch +0022-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch +0023-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch +0024-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-a.patch +0025-Add-self-generated-test-vector-for-x448-non-canonica.patch +# Debian patches debian-targets.patch man-section.patch no-symbolic.patch pic.patch c_rehash-compat.patch -Set-systemwide-default-settings-for-libssl-users.patch +# Remove Set-systemwide-default-settings-for-libssl-users.patch, this is done differently + +# Ubuntu patches +tests-use-seclevel-1.patch +tls1.2-min-seclevel2.patch +CVE-2020-1967-1.patch +CVE-2020-1967-2.patch +CVE-2020-1967-3.patch +CVE-2020-1967-4.patch +# Upstream cherry-picks +11767.patch +# Fix RNG +9cc834d966ea5afc38fb829bfe498aed4c5d498d.patch +0d011f540400b425aba1c3e59624ad9dbabe83cb.patch +53eb05bdf00d7237e3b12976c2ac38d68206eb13.patch +e6a80cbad28ee748830815634917efe96948f2f3.patch
  48. Download patch debian/patches/CVE-2020-1967-3.patch

    --- 1.1.1f-1/debian/patches/CVE-2020-1967-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/CVE-2020-1967-3.patch 2020-04-20 11:53:44.000000000 +0000 @@ -0,0 +1,24 @@ +From f420c25bb7d0c198b4b080fce203f6d707e9c86c Mon Sep 17 00:00:00 2001 +From: Benjamin Kaduk <kaduk@mit.edu> +Date: Tue, 14 Apr 2020 08:58:20 -0700 +Subject: [PATCH] fixup! Add test for CVE-2020-1967 + +--- + test/recipes/70-test_sslsigalgs.t | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t +index 1a6390a3e9..e3bc7b5534 100644 +--- a/test/recipes/70-test_sslsigalgs.t ++++ b/test/recipes/70-test_sslsigalgs.t +@@ -45,8 +45,8 @@ use constant { + SIGALGS_CERT_ALL => 7, + SIGALGS_CERT_PKCS => 8, + SIGALGS_CERT_INVALID => 9, +- UNRECOGNIZED_SIGALGS_CERT => 4, +- UNRECOGNIZED_SIGALG => 5 ++ UNRECOGNIZED_SIGALGS_CERT => 10, ++ UNRECOGNIZED_SIGALG => 11 + }; + + #Note: Throughout this test we override the default ciphersuites where TLSv1.2
  49. Download patch debian/patches/0002-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
  50. Download patch debian/patches/Set-systemwide-default-settings-for-libssl-users.patch

    --- 1.1.1f-1/debian/patches/Set-systemwide-default-settings-for-libssl-users.patch 2020-03-31 21:49:47.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/Set-systemwide-default-settings-for-libssl-users.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> -Date: Tue, 20 Mar 2018 22:07:30 +0100 -Subject: Set systemwide default settings for libssl users - -This config change enforeces a TLS1.2 protocol version as minimum. It -can be overwritten by the system administrator. - -It also changes the default security level from 1 to 2, moving from the 80 bit -security level to the 112 bit security level. - -Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> ---- - apps/openssl.cnf | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index 4acca4b0446f..a6fed92a2e75 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -15,6 +15,9 @@ HOME = . - #oid_file = $ENV::HOME/.oid - oid_section = new_oids - -+# System default -+openssl_conf = default_conf -+ - # To use this configuration file with the "-extfile" option of the - # "openssl x509" utility, name here the section containing the - # X.509v3 extensions to use: -@@ -348,3 +351,12 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) - ess_cert_id_alg = sha1 # algorithm to compute certificate - # identifier (optional, default: sha1) -+[default_conf] -+ssl_conf = ssl_sect -+ -+[ssl_sect] -+system_default = system_default_sect -+ -+[system_default_sect] -+MinProtocol = TLSv1.2 -+CipherString = DEFAULT@SECLEVEL=2
  51. Download patch debian/patches/e6a80cbad28ee748830815634917efe96948f2f3.patch

    --- 1.1.1f-1/debian/patches/e6a80cbad28ee748830815634917efe96948f2f3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/e6a80cbad28ee748830815634917efe96948f2f3.patch 2020-09-15 17:04:36.000000000 +0000 @@ -0,0 +1,41 @@ +From e6a80cbad28ee748830815634917efe96948f2f3 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger <bernd.edlinger@hotmail.de> +Date: Tue, 2 Jun 2020 11:52:24 +0200 +Subject: [PATCH] Fix a buffer overflow in drbg_ctr_generate + +This can happen if the 32-bit counter overflows +and the last block is not a multiple of 16 bytes. + +Fixes #12012 + +[extended tests] + +Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> +Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +(Merged from https://github.com/openssl/openssl/pull/12016) + +(cherry picked from commit 42fa3e66697baa121220b4eacf03607280e4ff89) +--- + crypto/rand/drbg_ctr.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index 89c9ccc876a8..a757d0a258ab 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -367,9 +367,11 @@ __owur static int drbg_ctr_generate(RAND_DRBG *drbg, + ctr32 = GETU32(ctr->V + 12) + blocks; + if (ctr32 < blocks) { + /* 32-bit counter overflow into V. */ +- blocks -= ctr32; +- buflen = blocks * 16; +- ctr32 = 0; ++ if (ctr32 != 0) { ++ blocks -= ctr32; ++ buflen = blocks * 16; ++ ctr32 = 0; ++ } + ctr96_inc(ctr->V); + } + PUTU32(ctr->V + 12, ctr32);
  52. Download patch debian/po/ta.po

    --- 1.1.1f-1/debian/po/ta.po 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ta.po 2019-06-20 16:58:44.000000000 +0000 @@ -0,0 +1,95 @@ +# translation of glibc.po to TAMIL +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Dr.T.Vasudevan <agnihot3@gmail.com>, 2007. +msgid "" +msgstr "" +"Project-Id-Version: glibc\n" +"Report-Msgid-Bugs-To: openssl@packages.debian.org\n" +"POT-Creation-Date: 2019-06-20 17:58+0100\n" +"PO-Revision-Date: 2007-04-24 19:42+0530\n" +"Last-Translator: Dr.T.Vasudevan <agnihot3@gmail.com>\n" +"Language-Team: TAMIL <ubuntu-l10n-tam@lists.ubuntu.com>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "Services to restart to make them use the new libraries:" +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"This release of OpenSSL fixes some security issues. Services will not use " +"these fixes until they are restarted. Please note that restarting the SSH " +"server (sshd) should not affect any existing connections." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Please check the list of detected services that need to be restarted and " +"correct it, if needed. The services names must be identical to the " +"initialization script names in /etc/init.d and separated by spaces. No " +"services will be restarted if the list is empty." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Any service that later fails unexpectedly after this upgrade should be " +"restarted. It is recommended to reboot this host to avoid any SSL-related " +"trouble." +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "Failure restarting some services for OpenSSL upgrade" +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (non translatable) paragraph containing +#. a list of services that could not be restarted +#: ../libssl1.1.templates:2001 +msgid "" +"The following services could not be restarted for the OpenSSL library " +"upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  53. Download patch debian/patches/CVE-2020-1967-4.patch

    --- 1.1.1f-1/debian/patches/CVE-2020-1967-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/CVE-2020-1967-4.patch 2020-04-20 11:53:47.000000000 +0000 @@ -0,0 +1,22 @@ +From c3a639fb591815604c512b34b83f0c285bdb6aa3 Mon Sep 17 00:00:00 2001 +From: Benjamin Kaduk <kaduk@mit.edu> +Date: Wed, 15 Apr 2020 14:44:42 -0700 +Subject: [PATCH] fixup! Add test for CVE-2020-1967 + +--- + test/recipes/70-test_sslsigalgs.t | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t +index e3bc7b5534..9ea9d05219 100644 +--- a/test/recipes/70-test_sslsigalgs.t ++++ b/test/recipes/70-test_sslsigalgs.t +@@ -482,7 +482,7 @@ sub inject_unrecognized_sigalg + + my $ext = pack "C8", + 0x00, 0x06, #Extension length +- 0x18, 0x18, #unallocated ++ 0xfe, 0x18, #private use + 0x04, 0x01, #rsa_pkcs1_sha256 + 0x08, 0x04; #rsa_pss_rsae_sha256; + my $message = ${$proxy->message_list}[0];
  54. Download patch debian/patches/0019-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
  55. Download patch debian/po/hu.po

    --- 1.1.1f-1/debian/po/hu.po 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/hu.po 2019-06-20 16:58:44.000000000 +0000 @@ -0,0 +1,101 @@ +# SZERVÁC Attila <sas@321.hu>, +# Dr. Nagy Elemér Károly <eknagy@omikk.bme.hu>, 2013. +# +msgid "" +msgstr "" +"Project-Id-Version: glibc\n" +"Report-Msgid-Bugs-To: openssl@packages.debian.org\n" +"POT-Creation-Date: 2019-06-20 17:58+0100\n" +"PO-Revision-Date: 2013-05-14 18:47+0200\n" +"Last-Translator: Dr. Nagy Elemér Károly <eknagy@omikk.bme.hu>\n" +"Language-Team: Hungarian <debian-l10n-hungarian@lists.d.o>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: UTF-8\n" +"Plural-Forms: ???\n" +"X-Poedit-Language: Hungarian\n" +"X-Poedit-Country: HUNGARY\n" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "Services to restart to make them use the new libraries:" +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"This release of OpenSSL fixes some security issues. Services will not use " +"these fixes until they are restarted. Please note that restarting the SSH " +"server (sshd) should not affect any existing connections." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Please check the list of detected services that need to be restarted and " +"correct it, if needed. The services names must be identical to the " +"initialization script names in /etc/init.d and separated by spaces. No " +"services will be restarted if the list is empty." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Any service that later fails unexpectedly after this upgrade should be " +"restarted. It is recommended to reboot this host to avoid any SSL-related " +"trouble." +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "Failure restarting some services for OpenSSL upgrade" +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (non translatable) paragraph containing +#. a list of services that could not be restarted +#: ../libssl1.1.templates:2001 +msgid "" +"The following services could not be restarted for the OpenSSL library " +"upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "A csomag frissítésekor kérdés nélkül újraindítsam a szolgáltatásokat?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Ezen a rendszeren olyan szolgáltatások vannak telepítve, amelyeket újra kell " +"indítani, bizonyos könyvtárak (mint a libpam, libc, libssl) frissítésekor. " +"Mivel ezek az újraindítások megszakítják a szolgáltatásokat, alapesetben " +"minden frissítésnél megkérdezi az újraindítandó szolgáltatások listáját a " +"rendszer. Dönthetsz úgy, hogy ne kérdezzen - ilyenkor minden szükséges " +"szolgáltatás-újraindítást elvégez a rendszer és nem kérdezget."
  56. Download patch debian/patches/0022-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch

    --- 1.1.1f-1/debian/patches/0022-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0022-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,32 @@ +From 4b05becebc482b862c894ddec444c4441cc15414 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Tue, 24 Sep 2019 23:03:19 +0200 +Subject: [PATCH 22/25] s390x assembly pack: fix msa3 stfle bit detection + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/10004) + +(cherry picked from commit b3681e2641999be6c1f70e66497fe384d683a07e) +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + crypto/s390xcpuid.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl +index 2408ca52b0..6cc3fbc3fd 100755 +--- a/crypto/s390xcpuid.pl ++++ b/crypto/s390xcpuid.pl +@@ -107,7 +107,7 @@ OPENSSL_s390x_functions: + la %r1,S390X_KMAC(%r4) + .long 0xb91e0042 # kmac %r4,%r2 + +- tmhh %r3,0x0003 # check for message-security-assist-3 ++ tmhh %r3,0x0008 # check for message-security-assist-3 + jz .Lret + + lghi %r0,S390X_QUERY # query pcc capability vector +-- +2.25.1 +
  57. Download patch debian/patches/0017-s390xcpuid.pl-fix-comment.patch

    --- 1.1.1f-1/debian/patches/0017-s390xcpuid.pl-fix-comment.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0017-s390xcpuid.pl-fix-comment.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,43 @@ +From c284114f14a5a0413399ce2f4a2e2932b6d07846 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Wed, 3 Jul 2019 18:02:11 +0200 +Subject: [PATCH 17/25] s390xcpuid.pl: fix comment + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Shane Lontis <shane.lontis@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/9348) + +Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> +--- + crypto/s390xcpuid.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl +index 344f4f67de..2408ca52b0 100755 +--- a/crypto/s390xcpuid.pl ++++ b/crypto/s390xcpuid.pl +@@ -443,7 +443,7 @@ ___ + } + + ################ +-# void s390x_pcc(unsigned int fc, void *param) ++# int s390x_pcc(unsigned int fc, void *param) + { + my ($fc,$param) = map("%r$_",(2..3)); + $code.=<<___; +@@ -468,8 +468,8 @@ ___ + } + + ################ +-# void s390x_kdsa(unsigned int fc, void *param, +-# const unsigned char *in, size_t len) ++# int s390x_kdsa(unsigned int fc, void *param, ++# const unsigned char *in, size_t len) + { + my ($fc,$param,$in,$len) = map("%r$_",(2..5)); + $code.=<<___; +-- +2.25.1 +
  58. Download patch debian/po/el.po

    --- 1.1.1f-1/debian/po/el.po 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/el.po 2019-06-20 16:58:44.000000000 +0000 @@ -0,0 +1,115 @@ +# translation of el.po to Greek +# translation of templates.po to Greek +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Konstantinos Margaritis <markos@debian.org>, 2004. +# Vangelis Skarmoutsos <skarmoutsosv@gmail.com>, 2017. +# +msgid "" +msgstr "" +"Project-Id-Version: el\n" +"Report-Msgid-Bugs-To: openssl@packages.debian.org\n" +"POT-Creation-Date: 2019-06-20 17:58+0100\n" +"PO-Revision-Date: 2017-07-06 21:00+0300\n" +"Last-Translator: Vangelis Skarmoutsos <skarmoutsosv@gmail.com>\n" +"Language-Team: Greek <debian-l10n-greek@lists.debian.org>\n" +"Language: el\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Poedit 2.0.2\n" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "Services to restart to make them use the new libraries:" +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"This release of OpenSSL fixes some security issues. Services will not use " +"these fixes until they are restarted. Please note that restarting the SSH " +"server (sshd) should not affect any existing connections." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Please check the list of detected services that need to be restarted and " +"correct it, if needed. The services names must be identical to the " +"initialization script names in /etc/init.d and separated by spaces. No " +"services will be restarted if the list is empty." +msgstr "" + +#. Type: string +#. Description +#: ../libssl1.1.templates:1001 +msgid "" +"Any service that later fails unexpectedly after this upgrade should be " +"restarted. It is recommended to reboot this host to avoid any SSL-related " +"trouble." +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "Failure restarting some services for OpenSSL upgrade" +msgstr "" + +#. Type: error +#. Description +#. This paragraph is followed by a (non translatable) paragraph containing +#. a list of services that could not be restarted +#: ../libssl1.1.templates:2001 +msgid "" +"The following services could not be restarted for the OpenSSL library " +"upgrade:" +msgstr "" + +#. Type: error +#. Description +#: ../libssl1.1.templates:2001 +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Επανεκκίνηση υπηρεσιών, κατά την διάρκεια αναβάθμισης πακέτων, χωρίς να " +"γίνει ερώτηση;" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Αυτές είναι εγκατεστημένες υπηρεσίες στο σύστημα σας, που χρειάζεται να " +"επανεκκινηθούν, όταν αναβαθμίζονται συγκεκριμένες βιβλιοθήκες, όπως οι " +"libpam, libc και libssl. Καθώς αυτές οι επανεκκινήσεις μπορούν να " +"προκαλέσουν διακοπές των υπηρεσιών του συστήματος, φυσιολογικά θα ερωτηθείτε " +"σε κάθε αναβάθμιση για την λίστα των υπηρεσιών που επιθυμείτε να " +"επανεκκινήσετε. Μπορείτε να διαλέξετε αυτή την επιλογή για να αποφύγετε να " +"ερωτηθείτε και έτσι όλες οι απαραίτητες επανεκκινήσεις θα γίνουν αυτόματα " +"ώστε να αποφύγετε τις ερωτήσεις για κάθε αναβάθμιση βιβλιοθήκης."
  59. Download patch debian/po/gl.po

    --- 1.1.1f-1/debian/po/gl.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/gl.po 2020-04-01 15:57:22.000000000 +0000 @@ -87,3 +87,22 @@ msgid "" msgstr "" "Ha ter que reinicialos manualmente executando \"/etc/init.d/<servizo> start" "\"." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  60. Download patch debian/patches/53eb05bdf00d7237e3b12976c2ac38d68206eb13.patch
  61. Download patch debian/po/ru.po

    --- 1.1.1f-1/debian/po/ru.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ru.po 2020-04-01 15:57:22.000000000 +0000 @@ -92,3 +92,28 @@ msgid "" msgstr "" "Вам нужно будет перезапустить их вручную с помощью команд '/etc/init.d/" "<служба> start'." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Перезапускать службы при обновлении пакета без подтверждения?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"В системе установлены службы, которые требуют перезапуска после обновления " +"определённых библиотек (например, libpam, libc и libssl). Так как это может " +"вызвать перерыв в работе службы, то обычно при каждом обновлении " +"запрашивается подтверждение списка служб, которые нужно перезапустить. Чтобы " +"этот вопрос не задавался, вы можете ответить утвердительно; в этом случае " +"все необходимые службы будут перезапущены автоматически."
  62. Download patch debian/po/pt_BR.po

    --- 1.1.1f-1/debian/po/pt_BR.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/pt_BR.po 2020-04-01 15:57:22.000000000 +0000 @@ -102,3 +102,30 @@ msgid "" msgstr "" "Você terá que iniciá-los manualmente executando '/etc/init.d/<serviço> " "start'." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Reiniciar serviços durante a atualização de pacotes sem perguntar?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Existem serviços instalados no seu sistema que precisam ser reiniciados " +"quando determinadas bibliotecas, tais como libpam, libc e libssl são " +"atualizadas. Uma vez que essas reinicializações podem causar interrupções de " +"serviços para o sistema, normalmente você terá que responder a cada " +"atualização qual será a lista de serviços que quiser reiniciar. Você pode " +"escolher esta opção para evitar novas solicitações; ao invés disso, todas as " +"reinicializações necessárias serão realizadas automaticamente, para evitar " +"que você responda a cada atualização de biblioteca."
  63. Download patch debian/po/ml.po

    --- 1.1.1f-1/debian/po/ml.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/ml.po 2020-04-01 15:57:22.000000000 +0000 @@ -85,3 +85,22 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr ""
  64. Download patch debian/patches/0006-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch

    --- 1.1.1f-1/debian/patches/0006-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0006-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,33 @@ +From b857d3affccf870501f7b9de34f837a1a2575046 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Fri, 15 Feb 2019 22:59:09 +0100 +Subject: [PATCH 06/25] s390x assembly pack: fix formal interface bug in chacha + module + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8257) + +(cherry picked from commit b2b580fe445e064da50c13d3e00f71022da16ece) +--- + crypto/chacha/asm/chacha-s390x.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl +index 895765e1c4..2843bb1eb6 100755 +--- a/crypto/chacha/asm/chacha-s390x.pl ++++ b/crypto/chacha/asm/chacha-s390x.pl +@@ -225,7 +225,7 @@ LABEL ("ChaCha20_ctr32"); + larl ("%r1","OPENSSL_s390xcap_P"); + + lghi ("%r0",64); +-&{$z? \&cgr:\&cr} ($len,"%r0"); ++&{$z? \&clgr:\&clr} ($len,"%r0"); + jle ("_s390x_chacha_novx"); + + lg ("%r0","S390X_STFLE+16(%r1)"); +-- +2.25.1 +
  65. Download patch debian/patches/CVE-2020-1967-1.patch

    --- 1.1.1f-1/debian/patches/CVE-2020-1967-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/CVE-2020-1967-1.patch 2020-04-20 11:53:36.000000000 +0000 @@ -0,0 +1,113 @@ +From 540e4c35c534a5a12688beb707fee9e16a6a34fa Mon Sep 17 00:00:00 2001 +From: Benjamin Kaduk <kaduk@mit.edu> +Date: Fri, 10 Apr 2020 12:27:28 -0700 +Subject: [PATCH] Add test for CVE-2020-1967 + +Add to test_sslsigalgs a TLSProxy test that injects a +"signature_algorithms_cert" extension that contains an unallocated +codepoint. + +The test currently fails, since s_server segfaults instead of +ignoring the unrecognized value. + +Since "signature_algorithms" and "signature_algorithms_cert" are very +similar, also add the analogous test for "signature_algorithms". +--- + test/recipes/70-test_sslsigalgs.t | 66 ++++++++++++++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t +index b3339ff59f..1a6390a3e9 100644 +--- a/test/recipes/70-test_sslsigalgs.t ++++ b/test/recipes/70-test_sslsigalgs.t +@@ -44,7 +44,9 @@ use constant { + COMPAT_SIGALGS => 6, + SIGALGS_CERT_ALL => 7, + SIGALGS_CERT_PKCS => 8, +- SIGALGS_CERT_INVALID => 9 ++ SIGALGS_CERT_INVALID => 9, ++ UNRECOGNIZED_SIGALGS_CERT => 4, ++ UNRECOGNIZED_SIGALG => 5 + }; + + #Note: Throughout this test we override the default ciphersuites where TLSv1.2 +@@ -53,7 +55,7 @@ use constant { + + #Test 1: Default sig algs should succeed + $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +-plan tests => 24; ++plan tests => 26; + ok(TLSProxy::Message->success, "Default sigalgs"); + my $testtype; + +@@ -282,6 +284,39 @@ SKIP: { + ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); + } + ++SKIP: { ++ skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); ++ #Test 25: Send an unrecognized signature_algorithms_cert ++ # We should be able to skip over the unrecognized value and use a ++ # valid one that appears later in the list. ++ $proxy->clear(); ++ $proxy->filter(\&inject_unrecognized_sigalg); ++ $proxy->clientflags("-tls1_3"); ++ # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is ++ # needed to trigger (e.g.) CVE-2020-1967 ++ $proxy->serverflags("" . ++ " -xcert " . srctop_file("test", "certs", "servercert.pem") . ++ " -xkey " . srctop_file("test", "certs", "serverkey.pem") . ++ " -xchain " . srctop_file("test", "certs", "rootcert.pem")); ++ $testtype = UNRECOGNIZED_SIGALGS_CERT; ++ $proxy->start(); ++ ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); ++ ++ #Test 26: Send an unrecognized signature_algorithms ++ # We should be able to skip over the unrecognized value and use a ++ # valid one that appears later in the list. ++ $proxy->clear(); ++ $proxy->filter(\&inject_unrecognized_sigalg); ++ $proxy->clientflags("-tls1_3"); ++ $proxy->serverflags("" . ++ " -xcert " . srctop_file("test", "certs", "servercert.pem") . ++ " -xkey " . srctop_file("test", "certs", "serverkey.pem") . ++ " -xchain " . srctop_file("test", "certs", "rootcert.pem")); ++ $testtype = UNRECOGNIZED_SIGALG; ++ $proxy->start(); ++ ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello"); ++} ++ + + + sub sigalgs_filter +@@ -427,3 +462,30 @@ sub modify_cert_verify_sigalg + } + } + } ++ ++sub inject_unrecognized_sigalg ++{ ++ my $proxy = shift; ++ my $type; ++ ++ # We're only interested in the initial ClientHello ++ if ($proxy->flight != 0) { ++ return; ++ } ++ if ($testtype == UNRECOGNIZED_SIGALGS_CERT) { ++ $type = TLSProxy::Message::EXT_SIG_ALGS_CERT; ++ } elsif ($testtype == UNRECOGNIZED_SIGALG) { ++ $type = TLSProxy::Message::EXT_SIG_ALGS; ++ } else { ++ return; ++ } ++ ++ my $ext = pack "C8", ++ 0x00, 0x06, #Extension length ++ 0x18, 0x18, #unallocated ++ 0x04, 0x01, #rsa_pkcs1_sha256 ++ 0x08, 0x04; #rsa_pss_rsae_sha256; ++ my $message = ${$proxy->message_list}[0]; ++ $message->set_extension($type, $ext); ++ $message->repack; ++}
  66. Download patch debian/patches/0008-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
  67. Download patch debian/po/fr.po

    --- 1.1.1f-1/debian/po/fr.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/fr.po 2020-04-01 15:57:22.000000000 +0000 @@ -96,5 +96,33 @@ msgstr "" "Vous devrez les redémarrer vous-même avec la commande « /etc/init.d/" "<service> start »." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Redémarrer inconditionnellement les services lors des mises à niveau de " +"paquets ?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Certains services installés sur le système doivent être redémarrés lorsque " +"certaines bibliothèques, comme libpam, libc ou libssl, sont mises à niveau. " +"Comme ces redémarrages peuvent conduire à une interruption du service, le " +"choix de les redémarrer ou non est en général offert lors de ces mises à " +"niveau. Vous pouvez choisir ici que ce choix ne soit plus offert et que les " +"redémarrages aient lieu systématiquement lors des mises à niveau de " +"bibliothèques." + #~ msgid "${services}" #~ msgstr "${services}"
  68. Download patch debian/patches/CVE-2020-1967-2.patch

    --- 1.1.1f-1/debian/patches/CVE-2020-1967-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/CVE-2020-1967-2.patch 2020-04-20 11:53:40.000000000 +0000 @@ -0,0 +1,43 @@ +From fda4b40dacd47859c0760b62572af761e8e5ed74 Mon Sep 17 00:00:00 2001 +From: Benjamin Kaduk <kaduk@mit.edu> +Date: Fri, 10 Apr 2020 12:27:28 -0700 +Subject: [PATCH] Fix NULL dereference in SSL_check_chain() for TLS 1.3 + +In the tls1_check_sig_alg() helper function, we loop through the list of +"signature_algorithms_cert" values received from the client and attempt +to look up each one in turn in our internal table that maps wire +codepoint to string-form name, digest and/or signature NID, etc., in +order to compare the signature scheme from the peer's list against what +is used to sign the certificates in the certificate chain we're +checking. Unfortunately, when the peer sends a value that we don't +support, the lookup returns NULL, but we unconditionally dereference the +lookup result for the comparison, leading to an application crash +triggerable by an unauthenticated client. + +Since we will not be able to say anything about algorithms we don't +recognize, treat NULL return from lookup as "does not match". + +We currently only apply the "signature_algorithm_cert" checks on TLS 1.3 +connections, so previous TLS versions are unaffected. SSL_check_chain() +is not called directly from libssl, but may be used by the application +inside a callback (e.g., client_hello or cert callback) to verify that a +candidate certificate chain will be acceptable to the client. + +CVE-2020-1967 +--- + ssl/t1_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index a254fd5a05..76b4baa388 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2130,7 +2130,7 @@ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) + sigalg = use_pc_sigalgs + ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) + : s->shared_sigalgs[i]; +- if (sig_nid == sigalg->sigandhash) ++ if (sigalg != NULL && sig_nid == sigalg->sigandhash) + return 1; + } + return 0;
  69. Download patch debian/po/sv.po

    --- 1.1.1f-1/debian/po/sv.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/sv.po 2020-04-01 15:57:22.000000000 +0000 @@ -97,3 +97,30 @@ msgid "" msgstr "" "Du mste starta om dessa tjnster manuellt genom att kra '/etc/init.d/" "<service> start'" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Ska tjänster startas om vid paketuppgraderingar utan att först fråga?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Det finns tjänster installerade på systemet som behöver startas om när " +"vissa bibliotek, exempelvis libpam, libc och libssl, uppgraderas. Eftersom " +"dessa omstarter kan orsaka avbrott i tjänsten ställs normalt en fråga vid " +"varje uppgradering där en lista med tjänster som ska startas om " +"presenteras. Du kan välja att aktivera detta alternativ för att undvika " +"att frågan ställs. Istället kommer alla nödvändiga omstarter att göras " +"automatiskt."
  70. Download patch debian/patches/tls1.2-min-seclevel2.patch

    --- 1.1.1f-1/debian/patches/tls1.2-min-seclevel2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/tls1.2-min-seclevel2.patch 2020-01-08 17:17:41.000000000 +0000 @@ -0,0 +1,75 @@ +Description: TLS versions below 1.2 are not permitted as security level 2. + +Index: openssl-1.1.1d/ssl/ssl_cert.c +=================================================================== +--- openssl-1.1.1d.orig/ssl/ssl_cert.c ++++ openssl-1.1.1d/ssl/ssl_cert.c +@@ -956,18 +956,12 @@ static int ssl_security_default_callback + } + case SSL_SECOP_VERSION: + if (!SSL_IS_DTLS(s)) { +- /* SSLv3 not allowed at level 2 */ +- if (nid <= SSL3_VERSION && level >= 2) +- return 0; +- /* TLS v1.1 and above only for level 3 */ +- if (nid <= TLS1_VERSION && level >= 3) +- return 0; +- /* TLS v1.2 only for level 4 and above */ +- if (nid <= TLS1_1_VERSION && level >= 4) ++ /* TLS v1.2 only for level 2 and above */ ++ if (nid <= TLS1_1_VERSION && level >= 2) + return 0; + } else { +- /* DTLS v1.2 only for level 4 and above */ +- if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4) ++ /* DTLS v1.2 only for level 2 and above */ ++ if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 2) + return 0; + } + break; +Index: openssl-1.1.1d/doc/man3/SSL_CTX_set_security_level.pod +=================================================================== +--- openssl-1.1.1d.orig/doc/man3/SSL_CTX_set_security_level.pod ++++ openssl-1.1.1d/doc/man3/SSL_CTX_set_security_level.pod +@@ -84,22 +84,20 @@ using MD5 for the MAC is also prohibited + Security level set to 112 bits of security. As a result RSA, DSA and DH keys + shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. + In addition to the level 1 exclusions any cipher suite using RC4 is also +-prohibited. SSL version 3 is also not allowed. Compression is disabled. ++prohibited. On Ubuntu, TLS versions below 1.2 are not permitted. Compression is disabled. + + =item B<Level 3> + + Security level set to 128 bits of security. As a result RSA, DSA and DH keys + shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. + In addition to the level 2 exclusions cipher suites not offering forward +-secrecy are prohibited. TLS versions below 1.1 are not permitted. Session +-tickets are disabled. ++secrecy are prohibited. Session tickets are disabled. + + =item B<Level 4> + + Security level set to 192 bits of security. As a result RSA, DSA and + DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are +-prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS +-versions below 1.2 are not permitted. ++prohibited. Cipher suites using SHA1 for the MAC are prohibited. + + =item B<Level 5> + +@@ -114,14 +112,8 @@ I<Documentation to be provided.> + + =head1 NOTES + +-B<WARNING> at this time setting the security level higher than 1 for +-general internet use is likely to cause B<considerable> interoperability +-issues and is not recommended. This is because the B<SHA1> algorithm +-is very widely used in certificates and will be rejected at levels +-higher than 1 because it only offers 80 bits of security. +- + The default security level can be configured when OpenSSL is compiled by +-setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used. ++setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. On Ubuntu, 2 is used. + + The security framework disables or reject parameters inconsistent with the + set security level. In the past this was difficult as applications had to set
  71. Download patch debian/README.debian

    --- 1.1.1f-1/debian/README.debian 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/README.debian 2020-04-01 15:57:10.000000000 +0000 @@ -11,14 +11,6 @@ Instead of `<application>` please call n eg: instead of `req` please call `openssl req` -TLS protovol version and RSA key size -------------------------------------- -The default system global policy is to support TLSv1.2+ and security level two. -Please see - https://www.openssl.org/docs/man1.1.1/man5/config.html - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html#DEFAULT-CALLBACK-BEHAVIOUR -for configurations details of `MinProtocol' and `CipherString' in -/etc/ssl/openssl.cnf case you really require to support legacy systems. PATENT ISSUES -------------
  72. Download patch debian/po/cs.po

    --- 1.1.1f-1/debian/po/cs.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/cs.po 2020-04-01 15:57:22.000000000 +0000 @@ -92,3 +92,28 @@ msgid "" "You will need to start these manually by running '/etc/init.d/<service> " "start'." msgstr "Budete je muset spustit ručně příkazem „/etc/init.d/<služba> start“." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Restartovat služby při aktualizaci balíku bez ptaní?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"V systému jsou nainstalovány služby, které je nutno při aktualizaci určitých " +"knihoven (libpam, libc nebo libssl) restartovat. Během restartu služeb jsou " +"tyto po nějakou dobu nedostupné. Abychom předešli nechtěné nedostupnosti, je " +"při každé aktualizaci nabídnut seznam služeb, které se mají restartovat. " +"Povolíte-li tuto možnost, budou se všechny potřebné služby restartovat při " +"aktualizaci knihoven automaticky bez ptaní."
  73. Download patch debian/patches/0018-s390x-assembly-pack-accelerate-scalar-multiplication.patch
  74. Download patch debian/po/tr.po

    --- 1.1.1f-1/debian/po/tr.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/tr.po 2020-04-01 15:57:22.000000000 +0000 @@ -25,20 +25,40 @@ msgstr "Yeni kitaplıkları kullanmalar #. Type: string #. Description #: ../libssl1.0.0.templates:1001 -msgid "This release of OpenSSL fixes some security issues. Services will not use these fixes until they are restarted. Please note that restarting the SSH server (sshd) should not affect any existing connections." -msgstr "OpenSSL paketinin bu sürümü bazı güvenlik sorunlarını düzeltmiştir. Hizmetler yeniden başlatılmadıkça bu düzeltmeleri kullanamayacaklar. SSH sunucusunun (sshd) yeniden başlatılması kurulu bağlantıları etkilemeyecektir." +msgid "" +"This release of OpenSSL fixes some security issues. Services will not use " +"these fixes until they are restarted. Please note that restarting the SSH " +"server (sshd) should not affect any existing connections." +msgstr "" +"OpenSSL paketinin bu sürümü bazı güvenlik sorunlarını düzeltmiştir. " +"Hizmetler yeniden başlatılmadıkça bu düzeltmeleri kullanamayacaklar. SSH " +"sunucusunun (sshd) yeniden başlatılması kurulu bağlantıları etkilemeyecektir." #. Type: string #. Description #: ../libssl1.0.0.templates:1001 -msgid "Please check the list of detected services that need to be restarted and correct it, if needed. The services names must be identical to the initialization script names in /etc/init.d and separated by spaces. No services will be restarted if the list is empty." -msgstr "Yeniden başlatılması gerektiği algılanan hizmetleri gözden geçiriniz ve gerekirse düzeltiniz. Hizmetlerin adları boşluklarla ayrılmalı ve /etc/init.d dizinindeki başlatma betikleri ile özdeş olmalıdır. Bu liste boş ise hiçbir hizmetin yeniden başlatılmasına gerek yoktur." +msgid "" +"Please check the list of detected services that need to be restarted and " +"correct it, if needed. The services names must be identical to the " +"initialization script names in /etc/init.d and separated by spaces. No " +"services will be restarted if the list is empty." +msgstr "" +"Yeniden başlatılması gerektiği algılanan hizmetleri gözden geçiriniz ve " +"gerekirse düzeltiniz. Hizmetlerin adları boşluklarla ayrılmalı ve /etc/init." +"d dizinindeki başlatma betikleri ile özdeş olmalıdır. Bu liste boş ise " +"hiçbir hizmetin yeniden başlatılmasına gerek yoktur." #. Type: string #. Description #: ../libssl1.0.0.templates:1001 -msgid "Any service that later fails unexpectedly after this upgrade should be restarted. It is recommended to reboot this host to avoid any SSL-related trouble." -msgstr "Bu yükseltmeden sonra beklenmedik bir şekilde duran herhangi bir hizmet yeniden başlatılmalıdır. SSL ile bağlantılı bir sorun yaşamamak için en doğrusu bu sunucunun yeniden başlatılmasıdır." +msgid "" +"Any service that later fails unexpectedly after this upgrade should be " +"restarted. It is recommended to reboot this host to avoid any SSL-related " +"trouble." +msgstr "" +"Bu yükseltmeden sonra beklenmedik bir şekilde duran herhangi bir hizmet " +"yeniden başlatılmalıdır. SSL ile bağlantılı bir sorun yaşamamak için en " +"doğrusu bu sunucunun yeniden başlatılmasıdır." #. Type: error #. Description @@ -51,12 +71,48 @@ msgstr "OpenSSL yükseltmesi sırasında #. This paragraph is followed by a (non translatable) paragraph containing #. a list of services that could not be restarted #: ../libssl1.0.0.templates:2001 -msgid "The following services could not be restarted for the OpenSSL library upgrade:" -msgstr "Aşağıdaki hizmetler OpenSSL kitaplıkları yükseltilirken yeniden başlatılamadı:" +msgid "" +"The following services could not be restarted for the OpenSSL library " +"upgrade:" +msgstr "" +"Aşağıdaki hizmetler OpenSSL kitaplıkları yükseltilirken yeniden " +"başlatılamadı:" #. Type: error #. Description #: ../libssl1.0.0.templates:2001 -msgid "You will need to start these manually by running '/etc/init.d/<service> start'." -msgstr " '/etc/init.d/<hizmet> start' komutunu çalıştırarak bu hizmetleri elle başlatmalısınız." - +msgid "" +"You will need to start these manually by running '/etc/init.d/<service> " +"start'." +msgstr "" +" '/etc/init.d/<hizmet> start' komutunu çalıştırarak bu hizmetleri elle " +"başlatmalısınız." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"Hizmetler paket yükseltme işlemi esnasında size sorulmadan yeniden " +"başlatılsın mı?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Sisteminizde libpam, libc ve libssl gibi bazı kitaplıklar yükseltildiğinde " +"yeniden başlatılması gereken bazı hizmetler kurulu. Yeniden başlatma " +"işlemleri sisteminizin sunduğu hizmetlerde kesintilere neden olabileceğinden " +"dolayı her yükseltme işlemi esnasında yeniden başlatmak istediğiniz " +"hizmetler size sorulacaktır. Eğer bu sorunun sorulmasını istemiyorsanız bu " +"seçeneği kullanabilirsiniz. Bu seçenek seçildiği takdirde bir kitaplık " +"yükseltmesi yapılırken gereken tüm yeniden başlatma işlemleri size " +"sorulmaksızın otomatik olarak yapılacaktır."
  75. Download patch debian/po/es.po

    --- 1.1.1f-1/debian/po/es.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/es.po 2020-04-01 15:57:22.000000000 +0000 @@ -120,5 +120,34 @@ msgstr "" "Tendrá que iniciarlos manualmente ejecutando « /etc/init.d/<servicio> start " "»." +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "" +"¿Quiere que los servicios se actualicen durante una actualización de paquete " +"sin solicitar confirmación?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Hay algunos servicios instalados en el sistema que requieren reiniciarse al " +"actualizar paquetes como libpam, libc, y libssl. Ya que reiniciar estos " +"servicios puede provocar una interrupción de servicio del sistema, " +"habitualmente se le solicitará en cada actualización una lista de los " +"servicios que desea reiniciar. Puede seleccionar esta opción para impedir " +"que se le solicite esta información; en su lugar, cada reinicio de servicio " +"se hará de forma automática de forma que evitará que se le planteen " +"preguntas cada vez que se actualice una biblioteca." + #~ msgid "${services}" #~ msgstr "${services}"
  76. Download patch debian/patches/9cc834d966ea5afc38fb829bfe498aed4c5d498d.patch

    --- 1.1.1f-1/debian/patches/9cc834d966ea5afc38fb829bfe498aed4c5d498d.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/9cc834d966ea5afc38fb829bfe498aed4c5d498d.patch 2020-09-15 17:04:36.000000000 +0000 @@ -0,0 +1,49 @@ +From 9cc834d966ea5afc38fb829bfe498aed4c5d498d Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Sat, 22 Feb 2020 01:20:09 +0100 +Subject: [PATCH] AES CTR-DRGB: do not leak timing information + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> +Reviewed-by: Paul Dale <paul.dale@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/11147) + +(cherry picked from commit 069165d10646a22000c596095cc04d43bbf1f807) +--- + crypto/rand/drbg_ctr.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index 93b82f34ceda..f41484e9d548 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -21,19 +21,15 @@ + + static void inc_128(RAND_DRBG_CTR *ctr) + { +- int i; +- unsigned char c; +- unsigned char *p = &ctr->V[15]; +- +- for (i = 0; i < 16; i++, p--) { +- c = *p; +- c++; +- *p = c; +- if (c != 0) { +- /* If we didn't wrap around, we're done. */ +- break; +- } +- } ++ unsigned char *p = &ctr->V[0]; ++ u32 n = 16, c = 1; ++ ++ do { ++ --n; ++ c += p[n]; ++ p[n] = (u8)c; ++ c >>= 8; ++ } while (n); + } + + static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
  77. Download patch debian/libssl1.1.NEWS

    --- 1.1.1f-1/debian/libssl1.1.NEWS 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/libssl1.1.NEWS 2020-04-01 15:57:10.000000000 +0000 @@ -1,30 +1,38 @@ -openssl (1.1.1-2) unstable; urgency=medium +openssl (1.1.1d-2ubuntu2) focal; urgency=medium - Following various security recommendations, the default minimum TLS version - has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple - plan to do same around March 2020. - - The default security level for TLS connections has also be increased from - level 1 to level 2. This moves from the 80 bit security level to the 112 bit - security level and will require 2048 bit or larger RSA and DHE keys, 224 bit - or larger ECC keys, and SHA-2. - - The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications - might also have a way to override the defaults. - - In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString - line. The CipherString can also sets the security level. Information about the - security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage. - The list of valid strings for the minimum protocol version can be found in - SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and - config(5ssl). + The default security level for TLS connections was increased from + level 1 to level 2. This moves from the 80 bit security level to the + 112 bit security level and will require 2048 bit or larger RSA and + DHE keys, 224 bit or larger ECC keys, SHA-2, TLSv1.2 or DTLSv1.2. + + The system wide settings can be changed in + /etc/ssl/openssl.cnf. Applications might also have a way to override + the defaults. + + In the default /etc/ssl/openssl.cnf one can add sections to specify + CipherString. The CipherString can be used to set the security + level. Information about the security levels can be found in the + SSL_CTX_set_security_level(3ssl) manpage. Other information can be + found in ciphers(1ssl) and config(5ssl). Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide - defaults can be done using: - MinProtocol = None - CipherString = DEFAULT + defaults can be by adding at the top of the file: + + # System default + openssl_conf = default_conf + + and adding at the bottom of the file: + + [default_conf] + ssl_conf = ssl_sect + + [ssl_sect] + system_default = system_default_sect + + [system_default_sect] + CipherString = DEFAULT:@SECLEVEL=1 It's recommended that you contact the remote site in case the defaults cause problems. - -- Kurt Roeckx <kurt@roeckx.be> Sun, 28 Oct 2018 20:58:35 +0100 + -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 08 Jan 2020 17:17:41 +0000 \ No newline at end of file
  78. Download patch debian/po/de.po

    --- 1.1.1f-1/debian/po/de.po 2020-03-31 21:46:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/po/de.po 2020-04-01 15:57:22.000000000 +0000 @@ -90,3 +90,30 @@ msgid "" msgstr "" "Sie werden sie manuell durch Aufruf von »/etc/init.d/<dienst> start« starten " "müssen." + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "Restart services during package upgrades without asking?" +msgstr "Dienste bei Paket-Upgrades ohne Rückfrage neu starten?" + +#. Type: boolean +#. Description +#: ../libssl1.1.templates:3001 +msgid "" +"There are services installed on your system which need to be restarted when " +"certain libraries, such as libpam, libc, and libssl, are upgraded. Since " +"these restarts may cause interruptions of service for the system, you will " +"normally be prompted on each upgrade for the list of services you wish to " +"restart. You can choose this option to avoid being prompted; instead, all " +"necessary restarts will be done for you automatically so you can avoid being " +"asked questions on each library upgrade." +msgstr "" +"Auf Ihrem System sind Dienste installiert, die beim Upgrade bestimmter " +"Bibliotheken, wie Libpam, Libc und Libssl, neu gestartet werden müssen. Da " +"diese Neustarts zu Unterbrechungen der Dienste für dieses System führen " +"können, werden Sie normalerweise bei jedem Upgrade über die Liste der neu zu " +"startenden Dienste befragt. Sie können diese Option wählen, um diese Abfrage " +"zu vermeiden; stattdessen werden alle notwendigen Dienste-Neustarts für Sie " +"automatisch vorgenommen und die Beantwortung dieser Fragen bei jedem Upgrade " +"von Bibliotheken vermieden."
  79. Download patch debian/patches/0010-s390x-assembly-pack-update-perlasm-module.patch

    --- 1.1.1f-1/debian/patches/0010-s390x-assembly-pack-update-perlasm-module.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.1.1f-1ubuntu4/debian/patches/0010-s390x-assembly-pack-update-perlasm-module.patch 2020-04-03 17:29:24.000000000 +0000 @@ -0,0 +1,173 @@ +From efac7d142fff9d89ca47a425f9caac4c1ad205e6 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer <patrick.steuer@de.ibm.com> +Date: Mon, 25 Mar 2019 18:20:27 +0100 +Subject: [PATCH 10/25] s390x assembly pack: update perlasm module + +Add non-base instructions which are used by the chacha20 and +poly1305 modules. + +Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> + +Reviewed-by: Paul Dale <paul.dale@oracle.com> +Reviewed-by: Richard Levitte <levitte@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/8181) + +(cherry picked from commit 3062468b0aa0eaa287e44689157d97774fd5817e) +--- + crypto/perlasm/s390x.pm | 86 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 84 insertions(+), 2 deletions(-) + +diff --git a/crypto/perlasm/s390x.pm b/crypto/perlasm/s390x.pm +index c00218a0cc..7fb55c780c 100644 +--- a/crypto/perlasm/s390x.pm ++++ b/crypto/perlasm/s390x.pm +@@ -6,23 +6,37 @@ + # in the file LICENSE in the source distribution or at + # https://www.openssl.org/source/license.html + +-# Copyright IBM Corp. 2018 ++# Copyright IBM Corp. 2018-2019 + # Author: Patrick Steuer <patrick.steuer@de.ibm.com> + + package perlasm::s390x; + + use strict; + use warnings; ++use bigint; + use Carp qw(confess); + use Exporter qw(import); + + our @EXPORT=qw(PERLASM_BEGIN PERLASM_END); + our @EXPORT_OK=qw(AUTOLOAD LABEL INCLUDE stfle); + our %EXPORT_TAGS=( ++ # long-displacement facility ++ LD => [qw(clgfi)], ++ # general-instruction-extension facility ++ GE => [qw(risbg)], ++ # extended-immediate facility ++ EI => [qw(lt)], ++ # miscellaneous-instruction-extensions facility 1 ++ MI1 => [qw(risbgn)], ++ # message-security assist + MSA => [qw(kmac km kmc kimd klmd)], ++ # message-security-assist extension 4 + MSA4 => [qw(kmf kmo pcc kmctr)], ++ # message-security-assist extension 5 + MSA5 => [qw(ppno prno)], ++ # message-security-assist extension 8 + MSA8 => [qw(kma)], ++ # vector facility + VX => [qw(vgef vgeg vgbm vzero vone vgm vgmb vgmh vgmf vgmg + vl vlr vlrep vlrepb vlreph vlrepf vlrepg vleb vleh vlef vleg vleib + vleih vleif vleig vlgv vlgvb vlgvh vlgvf vlgvg vllez vllezb vllezh +@@ -71,6 +85,7 @@ our %EXPORT_TAGS=( + wfmadb vfms vfmsdb wfmsdb vfpso vfpsodb wfpsodb vflcdb wflcdb + vflndb wflndb vflpdb wflpdb vfsq vfsqdb wfsqdb vfs vfsdb wfsdb + vftci vftcidb wftcidb)], ++ # vector-enhancements facility 1 + VXE => [qw(vbperm vllezlf vmsl vmslg vnx vnn voc vpopctb vpopcth + vpopctf vpopctg vfasb wfasb wfaxb wfcsb wfcxb wfksb wfkxb vfcesb + vfcesbs wfcesb wfcesbs wfcexb wfcexbs vfchsb vfchsbs wfchsb wfchsbs +@@ -83,10 +98,11 @@ our %EXPORT_TAGS=( + wfnmsxb vfpsosb wfpsosb vflcsb wflcsb vflnsb wflnsb vflpsb wflpsb + vfpsoxb wfpsoxb vflcxb wflcxb vflnxb wflnxb vflpxb wflpxb vfsqsb + wfsqsb wfsqxb vfssb wfssb wfsxb vftcisb wftcisb wftcixb)], ++ # vector-packed-decimal facility + VXD => [qw(vlrlr vlrl vstrlr vstrl vap vcp vcvb vcvbg vcvd vcvdg vdp + vlip vmp vmsp vpkz vpsop vrp vsdp vsrp vsp vtp vupkz)], + ); +-Exporter::export_ok_tags(qw(MSA MSA4 MSA5 MSA8 VX VXE VXD)); ++Exporter::export_ok_tags(qw(LD GE EI MI1 MSA MSA4 MSA5 MSA8 VX VXE VXD)); + + our $AUTOLOAD; + +@@ -143,6 +159,28 @@ sub stfle { + S(0xb2b0,@_); + } + ++# MISC ++ ++sub clgfi { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RILa(0xc2e,@_); ++} ++ ++sub lt { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RXYa(0xe312,@_); ++} ++ ++sub risbg { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ RIEf(0xec55,@_); ++} ++ ++sub risbgn { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ RIEf(0xec59,@_); ++} ++ + # MSA + + sub kmac { +@@ -2486,6 +2524,36 @@ sub vupkz { + # Instruction Formats + # + ++sub RIEf { ++ confess(err("ARGNUM")) if ($#_<4||5<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$r2,$i3,$i4,$i5)=(shift,get_R(shift),get_R(shift), ++ get_I(shift,8),get_I(shift,8), ++ get_I(shift,8)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",(($opcode>>8)<<8|$r1<<4|$r2)).","; ++ $out.=sprintf("%#06x",($i3<<8)|$i4).","; ++ $out.=sprintf("%#06x",($i5<<8)|($opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub RILa { ++ confess(err("ARGNUM")) if ($#_!=2); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$i2)=(shift,get_R(shift),get_I(shift,32)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",(($opcode>>4)<<8|$r1<<4|($opcode&0xf))).","; ++ $out.=sprintf("%#06x",($i2>>16)).","; ++ $out.=sprintf("%#06x",($i2&0xffff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ + sub RRE { + confess(err("ARGNUM")) if ($#_<0||2<$#_); + my $ops=join(',',@_[1..$#_]); +@@ -2510,6 +2578,20 @@ sub RRFb { + $out.="\t# $memn\t$ops\n" + } + ++sub RXYa { ++ confess(err("ARGNUM")) if ($#_!=2); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$d2,$x2,$b2)=(shift,get_R(shift),get_DXB(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",(($opcode>>8)<<8|$r1<<4|$x2)).","; ++ $out.=sprintf("%#06x",($b2<<12|($d2&0xfff))).","; ++ $out.=sprintf("%#06x",(($d2>>12)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ + sub S { + confess(err("ARGNUM")) if ($#_<0||1<$#_); + my $ops=join(',',@_[1..$#_]); +-- +2.25.1 +
  80. Download patch debian/patches/pr12272.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl-ibmca

openssl-ibmca (2.1.1-0ubuntu1) groovy; urgency=medium * New upstream release. LP: #1884763 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Aug 2020 20:14:28 +0100 openssl-ibmca (2.1.0-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1836865 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 07 Oct 2019 11:30:34 +0100 openssl-ibmca (2.0.3-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1826198 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 30 Apr 2019 12:34:27 +0100 openssl-ibmca (2.0.2-0ubuntu2) disco; urgency=medium * Rework error string init and exit. LP: #1819487 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 18 Mar 2019 15:03:08 +0000 openssl-ibmca (2.0.2-0ubuntu1) disco; urgency=medium * New upstream release LP: #1804233 LP: #1806483 * Drop dlopen-soname.patch, applied upstream. * Update watch file to github.com. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Dec 2018 11:21:56 +1100 openssl-ibmca (2.0.0-0ubuntu2) cosmic; urgency=medium * Disable test-suite, as it appears to fail on launchpad builders, yet passes locally when uncontained. -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Fri, 15 Jun 2018 12:44:40 +0100 openssl-ibmca (2.0.0-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776209 * Update debian/copyright to Apache-2 -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com> Thu, 14 Jun 2018 12:10:32 +0100 openssl-ibmca (1.4.1-0ubuntu1) bionic; urgency=medium * New upstream release * Update watch file to point at github * Build against openssl1.1 with openssl1.1 engine paths LP: #1747626 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 23 Feb 2018 18:06:36 +0000 openssl-ibmca (1.4.0-0ubuntu2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 17:54:51 +0000 openssl-ibmca (1.4.0-0ubuntu1) artful; urgency=medium * New upstream release * Drop patches applied upstream -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 28 Sep 2017 11:13:14 -0400 openssl-ibmca (1.3.0-0ubuntu5) artful; urgency=medium * Apply upstream patch to resolve crashes when libssl attempts to initialise engine a few times too many. LP: #1543455 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Jul 2017 08:48:51 +0100 openssl-ibmca (1.3.0-0ubuntu4) zesty; urgency=medium * Build against libica.so.3. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 30 Nov 2016 10:24:29 +0000 openssl-ibmca (1.3.0-0ubuntu3) zesty; urgency=medium * Attempt to dlopen libica.so.2, if libica.so (or ctrl provided one) fails. LP: #1605511 * Add depends on libica2. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Oct 2016 15:25:59 +0100 openssl-ibmca (1.3.0-0ubuntu2) xenial; urgency=medium * Correct license information. LP: 1543682 * Add watch file. * Resolves LP: #1538864 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 15 Feb 2016 16:32:05 +0000 openssl-ibmca (1.3.0-0ubuntu1) xenial; urgency=medium * Initial release. -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 05 Feb 2016 06:16:50 +0000

Modifications :
  1. Download patch src/test/Makefile.linux

    --- 1.4.0-1/src/test/Makefile.linux 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/src/test/Makefile.linux 2020-05-05 13:03:21.000000000 +0000 @@ -8,7 +8,7 @@ all: $(TARGETS) # Every target is created from a single .c file. %: %.c - gcc $(OPTS) -lica -lcrypto -o $@ $^ + gcc $(OPTS) -o $@ $^ -lica -lcrypto clean: rm -f $(TARGETS)
  2. Download patch README.md

    --- 1.4.0-1/README.md 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/README.md 2020-05-05 13:03:21.000000000 +0000 @@ -8,14 +8,14 @@ cryptographic operations. The build requirements are: * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 + * libica-devel >= 3.3.0 * autoconf * automake * libtool The runtime requirements are: * openssl >= 0.9.8 - * libica >= 3.1.1 + * libica >= 3.3.0 ## Installing @@ -27,8 +27,8 @@ $ sudo make install ``` This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere +which is `/usr/local/lib`. It means that the ibmca.so will be installed in +`/usr/local/lib/ibmca.so` by default. If you want to install it anywhere else, run "configure" passing the new location via prefix argument, for example: @@ -38,38 +38,11 @@ $ ./configure --prefix=/usr --libdir=/us ## Enabling IBMCA -Included in this package there is a sample `openssl.cnf` file -(`openssl.cnf.sample`), which can be used to turn on use of the IBMCA engine in -apps where OpenSSL config support is compiled in. - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location, which is `/usr/local/lib/libibmca.so` by default. However, if the -libibmca.so library has been installed anywhere else, then update the -*dynamic_path* variable. +Apps with compiled-in OpenSSL config support can enable the engine via +an OpenSSL configuration file. Refer to config(5). A sample OpenSSL +configuration file (`openssl.cnf.sample`) is included in this package. -Locate where the `openssl.cnf` file has been installed in the host and append -the content of the `openssl.cnf.sample` file to it. - -``` -$ rpm -ql openssl | grep openssl.cnf -$ cat openssl.cnf.sample >> /path/to/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the +If the engine is configured properly, the command below should return the IBMCA engine and all the supported cryptographic methods. ```
  3. Download patch src/ibmca_digest.c
  4. Download patch test/3des-cbc-test.pl

    --- 1.4.0-1/test/3des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/3des-cbc-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cbc", 24, 8);
  5. Download patch test/Makefile.am

    --- 1.4.0-1/test/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/Makefile.am 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,24 @@ +TESTS = \ +des-ecb-test.pl \ +des-cbc-test.pl \ +des-cfb-test.pl \ +des-ofb-test.pl \ +3des-ecb-test.pl \ +3des-cbc-test.pl \ +3des-cfb-test.pl \ +3des-ofb-test.pl \ +aes-128-ecb-test.pl \ +aes-128-cbc-test.pl \ +aes-128-cfb-test.pl \ +aes-128-ofb-test.pl \ +aes-192-ecb-test.pl \ +aes-192-cbc-test.pl \ +aes-192-cfb-test.pl \ +aes-192-ofb-test.pl \ +aes-256-ecb-test.pl \ +aes-256-cbc-test.pl \ +aes-256-cfb-test.pl \ +aes-256-ofb-test.pl + +AM_TESTS_ENVIRONMENT = export IBMCA_TEST_PATH=${top_builddir}/src/.libs/ibmca.so IBMCA_OPENSSL_TEST_CONF=${srcdir}/openssl-test.cnf PERL5LIB=${srcdir}; +EXTRA_DIST = ${TESTS} test.pm openssl-test.cnf
  6. Download patch test/aes-128-ofb-test.pl

    --- 1.4.0-1/test/aes-128-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-128-ofb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ofb", 16, 16);
  7. Download patch src/ibmca_cipher.c
  8. Download patch debian/README.source

    --- 1.4.0-1/debian/README.source 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/README.source 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -# OpenSSL-ibmca - -OpenSSL engine that uses the libica library under s390x to accelerate -cryptographic operations. - - -## Requirements - -The build requirements are: - * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 - * autoconf - * automake - * libtool - -The runtime requirements are: - * openssl >= 0.9.8 - * libica >= 3.1.1 - - -## Installing - -``` -$ ./configure [--enable-debug] -$ make -$ sudo make install -``` - -This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere -else, run "configure" passing the new location via prefix argument, for -example: - -``` -$ ./configure --prefix=/usr --libdir=/usr/lib64/openssl/engines -``` - - -## Support - -To report a bug please submit a - [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) including the - following information in the issue description: - -* bug description -* distro release -* openssl-ibmca package version -* libica package version -* steps to reproduce the bug - -Regarding technical or usage questions, send email to - [opencryptoki-tech]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-tech) or - [opencryptoki-users]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-users) - mailing list respectively. - - -## Contributing - -See [CONTRIBUTING.md](https://github.com/opencryptoki/openssl-ibmca/blob/master/CONTRIBUTING.md). - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 11:10:45 -0300
  9. Download patch debian/rules

    --- 1.4.0-1/debian/rules 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/rules 2018-12-10 00:21:56.000000000 +0000 @@ -1,31 +1,15 @@ #!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -# output every command that modifies files on the build system. -#export DH_VERBOSE = 1 - -# see FEATURE AREAS in dpkg-buildflags(1) export DEB_BUILD_MAINT_OPTIONS = hardening=+all -# see ENVIRONMENT in dpkg-buildflags(1) -# package maintainers to append CFLAGS -#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -# package maintainers to append LDFLAGS -#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed - %: - dh $@ - -# dh_make generated override targets -# This is example for Cmake (See https://bugs.debian.org/641051 ) -#override_dh_auto_configure: -# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) + dh $@ --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/openssl-1.0.2/engines/ + dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/engines-1.1 override_dh_auto_install: dh_auto_install - - # Remove useless files find debian -name '*.la' -delete +override_dh_auto_test: + -dh_auto_test
  10. Download patch src/ibmca_pkey.c
  11. Download patch test/openssl-test.cnf

    --- 1.4.0-1/test/openssl-test.cnf 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/openssl-test.cnf 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,20 @@ +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +ibmca = ibmca_section + +[ibmca_section] +dynamic_path = $ENV::IBMCA_TEST_PATH +engine_id = ibmca +init = 1 + +# OpenSSL < 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +# OpenSSL >= 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +default_algorithms = ALL
  12. Download patch debian/dirs

    --- 1.4.0-1/debian/dirs 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib
  13. Download patch debian/patches/libica_soname.patch

    --- 1.4.0-1/debian/patches/libica_soname.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/patches/libica_soname.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Setting libica so name to libica.so.3 -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - ---- a/src/e_ibmca.c -+++ b/src/e_ibmca.c -@@ -46,7 +46,7 @@ - #include "e_ibmca_err.h" - - #define IBMCA_LIB_NAME "ibmca engine" --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - - #define AP_PATH "/sys/devices/ap" -
  14. Download patch src/openssl.cnf.sample

    --- 1.4.0-1/src/openssl.cnf.sample 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/src/openssl.cnf.sample 2020-05-05 13:03:21.000000000 +0000 @@ -13,17 +13,14 @@ openssl_conf = openssl_def [openssl_def] engines = engine_section - [engine_section] ibmca = ibmca_section - [ibmca_section] - -# The openssl engine path for libibmca.so. -# Set the dynamic_path to where the libibmca.so engine +# The openssl engine path for ibmca.so. +# Set the dynamic_path to where the ibmca.so engine # resides on the system. -dynamic_path = /usr/local/lib/libibmca.so +dynamic_path = /usr/local/lib/ibmca.so engine_id = ibmca init = 1 @@ -36,17 +33,35 @@ init = 1 # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # +# DH +# - DH key exchange +# +# DSA +# - DSA sign and verify +# # RAND # - Hardware random number generation # +# ECDSA (OpenSSL < 1.1.0) +# - Elliptic Curve DSA sign and verify +# +# ECDH (OpenSSL < 1.1.0) +# - Elliptic Curve DH key exchange +# +# EC (OpenSSL >= 1.1.0) +# - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange +# # CIPHERS -# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, -# DES-EDE3-OFB, AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, -# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, -# AES-256-CBC, AES-256-CFB, AES-256-OFB symmetric crypto +# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, +# DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, +# AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, +# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, +# AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # +# PKEY_CRYPTO +# - X25519, X448, ED25519, ED448 default_algorithms = ALL -#default_algorithms = RAND,RSA,CIPHERS,DIGESTS +#default_algorithms = PKEY_CRYPTO,RAND,RSA,DH,DSA,CIPHERS,DIGESTS
  15. Download patch src/e_ibmca_err.c
  16. Download patch debian/control

    --- 1.4.0-1/debian/control 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/control 2018-12-10 00:21:56.000000000 +0000 @@ -1,17 +1,15 @@ Source: openssl-ibmca Priority: optional -Maintainer: Paulo Vital <pvital@gmail.com> -Build-Depends: debhelper (>= 10), dh-autoreconf, libica-dev, libssl-dev -Standards-Version: 4.0.0 +Maintainer: Dimitri John Ledkov <xnox@ubuntu.com> +Build-Depends: debhelper (>=10), libica-dev, libssl-dev +Standards-Version: 4.1.4 Section: libs -Homepage: https://github.com/opencryptoki/openssl-ibmca +Homepage: http://sourceforge.net/projects/opencryptoki/files/libica%20OpenSSL%20Engine Package: openssl-ibmca Architecture: s390 s390x Depends: libica3, ${shlibs:Depends}, ${misc:Depends} -Description: libica engine for OpenSSL - This package provides an OpenSSL engine to enable hardware acceleration - of cryptographic functions in OpenSSL, and all applications that use - OpenSSL. - . - This package is specific for s390x architecture. +Description: libica based hardware acceleration engine for OpenSSL + This package provides an OpenSSL engine to enable hardware + acceleration of cryptographic functions in OpenSSL, and all + applications that use OpenSSL.
  17. Download patch test/des-ecb-test.pl

    --- 1.4.0-1/test/des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/des-ecb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ecb", 8, 0);
  18. Download patch test/aes-128-cfb-test.pl

    --- 1.4.0-1/test/aes-128-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-128-cfb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cfb", 16, 16);
  19. Download patch debian/examples

    --- 1.4.0-1/debian/examples 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/examples 2018-12-10 00:21:56.000000000 +0000 @@ -1 +1 @@ - src/openssl.cnf.sample +src/openssl.cnf.sample
  20. Download patch ibmca.map

    --- 1.4.0-1/ibmca.map 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/ibmca.map 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,9 @@ +IBMCA_2.0.0 { + global: + v_check; + bind_engine; + ENGINE_load_ibmca; + + local: + *; +};
  21. Download patch ChangeLog

    --- 1.4.0-1/ChangeLog 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/ChangeLog 2020-05-05 13:03:21.000000000 +0000 @@ -1,3 +1,35 @@ +* openssl-ibmca 2.1.1 +- Bug fixes + +* openssl-ibmca 2.1.0 +- Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 + +* openssl-ibmca 2.0.3 +- Add MSA9 CPACF support for ECDSA sign/verify + +* openssl-ibmca 2.0.2 +- Fix doing rsa-me, altough rsa-crt would be possible. + +* openssl-ibmca 2.0.1 +- Dont fail when a libica symbol cannot be resolved. + +* openssl-ibmca 2.0.0 +- Add ECC support. +- Add check and distcheck make-targets. +- Project cleanup, code was broken into multiple files and coding style cleanup. +- Improvements to compat macros for openssl. +- Don't disable libica sw fallbacks. +- Fix dlclose logic. + +* openssl-ibmca 1.4.1 +- Fix structure size for aes-256-ecb/cbc/cfb/ofb +- Update man page +- Switch to ibmca.so filename to allow standalone use +- Switch off Libica fallback mode if available +- Make sure ibmca_init only runs once +- Provide simple macro for DEBUG_PRINTF possibility +- Cleanup and slight rework of function set_supported_meths + * openssl-ibmca 1.4.0 - Re-license to Apache License v2.0 - Fix aes_gcm initialization.
  22. Download patch src/e_ibmca_err.h

    --- 1.4.0-1/src/e_ibmca_err.h 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/src/e_ibmca_err.h 2020-05-05 13:03:21.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,9 +19,6 @@ #define HEADER_IBMCA_ERR_H /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_IBMCA_strings(void); void ERR_unload_IBMCA_strings(void); void ERR_IBMCA_error(int function, int reason, char *file, int line); @@ -30,41 +27,74 @@ void ERR_IBMCA_error(int function, int r /* Error codes for the IBMCA functions. */ /* Function codes. */ -#define IBMCA_F_IBMCA_CTRL 100 -#define IBMCA_F_IBMCA_FINISH 101 -#define IBMCA_F_IBMCA_INIT 102 -#define IBMCA_F_IBMCA_MOD_EXP 103 -#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 -#define IBMCA_F_IBMCA_RAND_BYTES 105 -#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 -#define IBMCA_F_IBMCA_DES_CIPHER 107 -#define IBMCA_F_IBMCA_TDES_CIPHER 108 -#define IBMCA_F_IBMCA_SHA1_UPDATE 109 -#define IBMCA_F_IBMCA_SHA1_FINAL 110 -#define IBMCA_F_IBMCA_AES_128_CIPHER 111 -#define IBMCA_F_IBMCA_AES_192_CIPHER 112 -#define IBMCA_F_IBMCA_AES_256_CIPHER 113 -#define IBMCA_F_IBMCA_SHA256_UPDATE 114 -#define IBMCA_F_IBMCA_SHA256_FINAL 115 -#define IBMCA_F_IBMCA_SHA512_UPDATE 116 -#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_CTRL 100 +#define IBMCA_F_IBMCA_FINISH 101 +#define IBMCA_F_IBMCA_INIT 102 +#define IBMCA_F_IBMCA_MOD_EXP 103 +#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 +#define IBMCA_F_IBMCA_RAND_BYTES 105 +#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 +#define IBMCA_F_IBMCA_DES_CIPHER 107 +#define IBMCA_F_IBMCA_TDES_CIPHER 108 +#define IBMCA_F_IBMCA_SHA1_UPDATE 109 +#define IBMCA_F_IBMCA_SHA1_FINAL 110 +#define IBMCA_F_IBMCA_AES_128_CIPHER 111 +#define IBMCA_F_IBMCA_AES_192_CIPHER 112 +#define IBMCA_F_IBMCA_AES_256_CIPHER 113 +#define IBMCA_F_IBMCA_SHA256_UPDATE 114 +#define IBMCA_F_IBMCA_SHA256_FINAL 115 +#define IBMCA_F_IBMCA_SHA512_UPDATE 116 +#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_EC_KEY_GEN 120 +#define IBMCA_F_IBMCA_ECDH_COMPUTE_KEY 121 +#define IBMCA_F_IBMCA_ECDSA_SIGN 122 +#define IBMCA_F_IBMCA_ECDSA_SIGN_SIG 123 +#define IBMCA_F_IBMCA_ECDSA_DO_SIGN 124 +#define IBMCA_F_IBMCA_ECDSA_VERIFY 125 +#define IBMCA_F_IBMCA_ECDSA_VERIFY_SIG 126 +#define IBMCA_F_ICA_EC_KEY_NEW 127 +#define IBMCA_F_ICA_EC_KEY_INIT 128 +#define IBMCA_F_ICA_EC_KEY_GENERATE 129 +#define IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY 130 +#define IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY 131 +#define IBMCA_F_ICA_ECDH_DERIVE_SECRET 132 +#define IBMCA_F_ICA_ECDSA_SIGN 133 +#define IBMCA_F_ICA_ECDSA_VERIFY 134 +#define IBMCA_F_IBMCA_X25519_KEYGEN 140 +#define IBMCA_F_IBMCA_X25519_DERIVE 141 +#define IBMCA_F_IBMCA_X448_KEYGEN 142 +#define IBMCA_F_IBMCA_X448_DERIVE 143 +#define IBMCA_F_IBMCA_ED25519_KEYGEN 144 +#define IBMCA_F_IBMCA_ED448_KEYGEN 145 +#define IBMCA_F_IBMCA_ED25519_SIGN 146 +#define IBMCA_F_IBMCA_ED448_SIGN 147 +#define IBMCA_F_IBMCA_ED25519_VERIFY 148 +#define IBMCA_F_IBMCA_ED448_VERIFY 149 /* Reason codes. */ -#define IBMCA_R_ALREADY_LOADED 100 -#define IBMCA_R_BN_CTX_FULL 101 -#define IBMCA_R_BN_EXPAND_FAIL 102 -#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 -#define IBMCA_R_DSO_FAILURE 104 -#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 -#define IBMCA_R_MISSING_KEY_COMPONENTS 105 -#define IBMCA_R_NOT_INITIALISED 106 -#define IBMCA_R_NOT_LOADED 107 -#define IBMCA_R_OPERANDS_TO_LARGE 111 -#define IBMCA_R_OUTLEN_TO_LARGE 112 -#define IBMCA_R_REQUEST_FAILED 108 -#define IBMCA_R_UNDERFLOW_CONDITION 113 -#define IBMCA_R_UNDERFLOW_KEYRECORD 114 -#define IBMCA_R_UNIT_FAILURE 109 -#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_ALREADY_LOADED 100 +#define IBMCA_R_BN_CTX_FULL 101 +#define IBMCA_R_BN_EXPAND_FAIL 102 +#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 +#define IBMCA_R_DSO_FAILURE 104 +#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 +#define IBMCA_R_MISSING_KEY_COMPONENTS 105 +#define IBMCA_R_NOT_INITIALISED 106 +#define IBMCA_R_NOT_LOADED 107 +#define IBMCA_R_OPERANDS_TO_LARGE 111 +#define IBMCA_R_OUTLEN_TO_LARGE 112 +#define IBMCA_R_REQUEST_FAILED 108 +#define IBMCA_R_UNDERFLOW_CONDITION 113 +#define IBMCA_R_UNDERFLOW_KEYRECORD 114 +#define IBMCA_R_UNIT_FAILURE 109 +#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_EC_INVALID_PARM 120 +#define IBMCA_R_EC_UNSUPPORTED_CURVE 121 +#define IBMCA_R_EC_INTERNAL_ERROR 122 +#define IBMCA_R_EC_ICA_EC_KEY_INIT 123 +#define IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING 159 +#define IBMCA_R_PKEY_INTERNAL_ERROR 160 +#define IBMCA_R_PKEY_KEYGEN_FAILED 161 +#define IBMCA_R_PKEY_KEYS_NOT_SET 162 #endif
  23. Download patch configure.ac

    --- 1.4.0-1/configure.ac 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/configure.ac 2020-05-05 13:03:21.000000000 +0000 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [1.4.0], [opencryptoki-users@lists.sf.net]) +AC_INIT([openssl-ibmca], [2.1.1], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) @@ -23,16 +23,16 @@ fi # Checks for programs. AC_DISABLE_STATIC AC_PROG_CC -AC_PROG_LIBTOOL +LT_INIT # Checks for libraries. -AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 0.9.8 is required ***])) -AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 2.4.0 is required ***])) +AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 1.1.1 is required ***])) +AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 3.6.0 is required ***])) # Checks for header files. AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) -AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 2.4.0 is required ***])) +AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.6.0 is required ***])) # Checks for typedefs, structures, and compiler characteristics. @@ -44,12 +44,13 @@ AC_TYPE_SSIZE_T # Checks for library functions. AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) AC_CHECK_DECLS([ICA_FLAG_DHW,ica_get_functionlist,ica_open_adapter,DES_ECB], [], - AC_MSG_ERROR([*** libica >= 2.4.0 and libica-devel >= 2.4.0 are required ***]), + AC_MSG_ERROR([*** libica >= 3.6.0 and libica-devel >= 3.6.0 are required ***]), [#include <ica_api.h>]) AC_CONFIG_FILES([ Makefile src/Makefile + test/Makefile src/doc/Makefile]) AC_OUTPUT
  24. Download patch src/ibmca_dsa.c

    --- 1.4.0-1/src/ibmca_dsa.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/src/ibmca_dsa.c 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,136 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dsa.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DSA + +/* This code was liberated and adapted from the commented-out code in + * dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration + * (it doesn't have a CRT form for RSA), this function means that an + * Ibmca system running with a DSA server certificate can handshake + * around 5 or 6 times faster/more than an equivalent system running with + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ +#ifdef OLDER_OPENSSL +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) +#else +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +#endif +{ + BIGNUM *t; + int to_return = 0; + + t = BN_new(); + /* let rr = a1 ^ p1 mod m */ + if (!ibmca_mod_exp(rr, a1, p1, m, ctx)) + goto end; + /* let t = a2 ^ p2 mod m */ + if (!ibmca_mod_exp(t, a2, p2, m, ctx)) + goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr, rr, t, m, ctx)) + goto end; + + to_return = 1; + +end: + BN_free(t); + + return to_return; +} + +#ifdef OLDER_OPENSSL +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#else +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#endif +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DSA_METHOD dsa_m = { + "Ibmca DSA method", /* name */ + NULL, /* dsa_do_sign */ + NULL, /* dsa_sign_setup */ + NULL, /* dsa_do_verify */ + ibmca_dsa_mod_exp, /* dsa_mod_exp */ + ibmca_mod_exp_dsa, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + DSA_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ +}; + +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1 = DSA_OpenSSL(); + + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; + + return &dsa_m; +} + +#else +static DSA_METHOD *dsa_m = NULL; +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1; + DSA_METHOD *method; + + if (dsa_m != NULL) + goto done; + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) + || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) + || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa) + || !DSA_meth_set_flags(method, DSA_FLAG_FIPS_METHOD)) { + DSA_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dsa_m = method; + +done: + return dsa_m; +} + +void ibmca_dsa_destroy(void) +{ + DSA_meth_free(dsa_m); +} +#endif +#endif /* endif OPENSSL_NO_DSA */
  25. Download patch test/des-ofb-test.pl

    --- 1.4.0-1/test/des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/des-ofb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ofb", 8, 8);
  26. Download patch test/aes-128-cbc-test.pl

    --- 1.4.0-1/test/aes-128-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-128-cbc-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cbc", 16, 16);
  27. Download patch test/aes-256-ecb-test.pl

    --- 1.4.0-1/test/aes-256-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-256-ecb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ecb", 32, 0);
  28. Download patch test/aes-192-ecb-test.pl

    --- 1.4.0-1/test/aes-192-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-192-ecb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ecb", 24, 0);
  29. Download patch src/ibmca_rsa.c
  30. Download patch test/aes-256-ofb-test.pl

    --- 1.4.0-1/test/aes-256-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-256-ofb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ofb", 32, 16);
  31. Download patch test/aes-192-ofb-test.pl

    --- 1.4.0-1/test/aes-192-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-192-ofb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ofb", 24, 16);
  32. Download patch src/ibmca_dh.c

    --- 1.4.0-1/src/ibmca_dh.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/src/ibmca_dh.c 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,87 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dh.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DH + +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DH_METHOD dh_m = { + "Ibmca DH method", /* name */ + NULL, /* generate_key */ + NULL, /* compute_key */ + ibmca_mod_exp_dh, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + DH_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ +}; + +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1 = DH_OpenSSL(); + + dh_m.generate_key = meth1->generate_key; + dh_m.compute_key = meth1->compute_key; + + return &dh_m; +} + +#else +static DH_METHOD *dh_m = NULL; +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1; + DH_METHOD *method; + + if (dh_m != NULL) + goto done; + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) + || !DH_meth_set_flags(method, DH_FLAG_FIPS_METHOD)) { + DH_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dh_m = method; + +done: + return dh_m; +} + +void ibmca_dh_destroy(void) +{ + DH_meth_free(dh_m); +} +#endif + +#endif /* end OPENSSL_NO_DH */
  33. Download patch src/test/ibmca_mechaList_test.c
  34. Download patch test/test.pm

    --- 1.4.0-1/test/test.pm 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/test.pm 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +package test; + +sub cipher { + my $tests = 50; + my $max_file_size = 1024; + my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; + my @hex = ("a".."f", "0".."9"); + + my ($cipher,$keylen,$ivlen) = @_; + + # skip if engine not loaded + exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); + + for my $i (1..$tests) { + my $bytes = 1 + int(rand($max_file_size)); + my $key = ""; + $key .= $hex[rand(@hex)] for (1..$keylen); + my $iv = ""; + if ($ivlen > 0) { + $iv .= $hex[rand(@hex)] for (1..$ivlen); + $iv = "-iv $iv"; + } + + # engine enc, no-engine dec + `openssl rand $bytes > data.in`; + `$eng openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + + # no-engine enc, engine dec + `openssl rand $bytes > data.in`; + `openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `$eng openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + } + + `rm -f data.in data.enc data.dec`; +} + +1;
  35. Download patch src/Makefile.am

    --- 1.4.0-1/src/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/src/Makefile.am 2020-05-05 13:03:21.000000000 +0000 @@ -1,10 +1,22 @@ -lib_LTLIBRARIES=libibmca.la +VERSION = 2:1:1 -libibmca_la_SOURCES=e_ibmca.c e_ibmca_err.c -libibmca_la_LIBADD=-ldl -libibmca_la_LDFLAGS=-module -version-info 0:2:0 -shared -no-undefined -avoid-version +lib_LTLIBRARIES=ibmca.la -dist_libibmca_la_SOURCES=e_ibmca_err.h e_os.h cryptlib.h +ibmca_la_SOURCES=e_ibmca.c \ + e_ibmca_err.c \ + ibmca_cipher.c \ + ibmca_digest.c \ + ibmca_rsa.c \ + ibmca_dsa.c \ + ibmca_dh.c \ + ibmca_ec.c \ + ibmca_pkey.c + +ibmca_la_LIBADD=-ldl +ibmca_la_LDFLAGS=-module -version-number ${VERSION} -shared -no-undefined \ + -avoid-version -Wl,--version-script=${srcdir}/../ibmca.map + +dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h EXTRA_DIST = openssl.cnf.sample ACLOCAL_AMFLAGS = -I m4
  36. Download patch test/des-cfb-test.pl

    --- 1.4.0-1/test/des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/des-cfb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cfb", 8, 8);
  37. Download patch test/3des-ecb-test.pl

    --- 1.4.0-1/test/3des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/3des-ecb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3", 24, 0);
  38. Download patch src/e_ibmca.c
  39. Download patch debian/watch

    --- 1.4.0-1/debian/watch 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/watch 2018-12-10 00:21:56.000000000 +0000 @@ -1,4 +1,4 @@ version=4 -opts="mode=git, pgpmode=none" \ -https://github.com/opencryptoki/openssl-ibmca.git refs/tags/v?(.*) \ -debian /bin/sh uupdate +opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%openssl-ibmca-$1.tar.gz%" \ + https://github.com/opencryptoki/openssl-ibmca/tags \ + (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
  40. Download patch test/des-cbc-test.pl

    --- 1.4.0-1/test/des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/des-cbc-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cbc", 8, 8);
  41. Download patch debian/patches/series

    --- 1.4.0-1/debian/patches/series 2017-09-20 13:40:30.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/patches/series 2019-04-30 11:34:27.000000000 +0000 @@ -1,2 +1 @@ openssl-config.patch -libica_soname.patch
  42. Download patch test/aes-256-cfb-test.pl

    --- 1.4.0-1/test/aes-256-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-256-cfb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cfb", 32, 16);
  43. Download patch test/aes-192-cfb-test.pl

    --- 1.4.0-1/test/aes-192-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-192-cfb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cfb", 24, 16);
  44. Download patch debian/README.Debian

    --- 1.4.0-1/debian/README.Debian 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -openssl-ibmca for Debian ------------------------ - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location in Debian, which is -/usr/lib/s390x-linux-gnu/openssl-1.0.2/engine/libibmca.so - -Append the `openssl.cnf.sample` file to it `/etc/ssl/openssl.cnf` file; - -``` -$ cat /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample >> /etc/ssl/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the -IBMCA engine and all the supported cryptographic methods. - -``` -$ openssl engine -c -(dynamic) Dynamic engine loading support -(ibmca) Ibmca hardware engine support -[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, - DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, - AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, - AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512] -$ -``` - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 10:47:45 -0300
  45. Download patch test/3des-ofb-test.pl

    --- 1.4.0-1/test/3des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/3des-ofb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-ofb", 24, 8);
  46. Download patch debian/patches/openssl-config.patch

    --- 1.4.0-1/debian/patches/openssl-config.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/patches/openssl-config.patch 2018-12-10 00:21:56.000000000 +0000 @@ -1,15 +1,14 @@ -Description: correct engine location to the multiarch location -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - +Description: correct engine location to the multiarch locationIndex: openssl-ibmca-1.3.0/src/openssl.cnf.sample +=================================================================== --- a/src/openssl.cnf.sample +++ b/src/openssl.cnf.sample -@@ -23,7 +23,7 @@ - # The openssl engine path for libibmca.so. - # Set the dynamic_path to where the libibmca.so engine +@@ -23,7 +23,8 @@ + # The openssl engine path for ibmca.so. + # Set the dynamic_path to where the ibmca.so engine # resides on the system. --dynamic_path = /usr/local/lib/libibmca.so -+dynamic_path = /usr/lib/s390x-linux-gnu/openssl-1.0.2/engines/libibmca.so +-dynamic_path = /usr/local/lib/ibmca.so ++dynamic_path = /usr/lib/s390x-linux-gnu/engines-1.1/ibmca.so ++ engine_id = ibmca init = 1
  47. Download patch src/ibmca_ec.c
  48. Download patch test/aes-256-cbc-test.pl

    --- 1.4.0-1/test/aes-256-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-256-cbc-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cbc", 32, 16);
  49. Download patch test/aes-192-cbc-test.pl

    --- 1.4.0-1/test/aes-192-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-192-cbc-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cbc", 24, 16);
  50. Download patch debian/docs

    --- 1.4.0-1/debian/docs 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.1-0ubuntu1/debian/docs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -debian/README.source -debian/README.Debian
  51. Download patch src/doc/ibmca.man

    --- 1.4.0-1/src/doc/ibmca.man 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/src/doc/ibmca.man 2020-05-05 13:03:21.000000000 +0000 @@ -7,8 +7,7 @@ accelerate cryptographic operations. .SH DESCRIPTION IBMCA accelerates cryptographic operations of applications that use OpenSSL. -The engine can be configured by the IBMCA configuration file. The OpenSSL -configuration file is only needed to attach the engine. +The engine can be configured by the OpenSSL configuration file. .SS openssl.cnf The OpenSSL configuration file can have an IBMCA section. This section includes @@ -25,7 +24,7 @@ discover control commands. Options for the IBMCA section in openssl.cnf: .PP dynamic_path = -.I /path/to/libibmca.so +.I /path/to/ibmca.so .RS Set the path to the IBMCA shared object file allowing OpenSSL to find the file. .RE
  52. Download patch test/3des-cfb-test.pl

    --- 1.4.0-1/test/3des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/3des-cfb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cfb", 24, 8);
  53. Download patch test/aes-128-ecb-test.pl

    --- 1.4.0-1/test/aes-128-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.1-0ubuntu1/test/aes-128-ecb-test.pl 2020-05-05 13:03:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ecb", 16, 0);
  54. Download patch Makefile.am

    --- 1.4.0-1/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/Makefile.am 2020-05-05 13:03:21.000000000 +0000 @@ -1,4 +1,4 @@ ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src +SUBDIRS = src test -EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh +EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh
  55. Download patch src/ibmca.h
  56. Download patch openssl-ibmca.spec

    --- 1.4.0-1/openssl-ibmca.spec 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.1-0ubuntu1/openssl-ibmca.spec 2020-05-05 13:03:21.000000000 +0000 @@ -1,19 +1,17 @@ +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) + Name: openssl-ibmca -Version: 1.4.0 -Release: 0 +Version: 2.1.1 +Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine -Group: Hardware/Other License: ASL 2.0 -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz +URL: https://github.com/opencryptoki/openssl-ibmca +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -BuildRequires: openssl-devel >= 0.9.8, - libica-devel >= 3.1.1, - autoconf, - automake, - libtool -Requires: openssl >= 0.9.8, - libica >= 3.1.1 +Requires: openssl >= 1.1.1 libica >= 3.6.0 +BuildRequires: openssl-devel >= 1.1.1 libica-devel >= 3.6.0 +BuildRequires: autoconf automake libtool ExclusiveArch: s390 s390x @@ -22,28 +20,61 @@ This package contains a shared object Op to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%setup -q +%setup -q -n %{name}-%{version} + +./bootstrap.sh %build -%configure -make +%configure --libdir=%{enginesdir} +%make_build %install -%makeinstall -rm -f $RPM_BUILD_ROOT%{_libdir}/libibmca.la -mkdir -p $RPM_BUILD_ROOT%{_libdir}/openssl/engines -mv $RPM_BUILD_ROOT%{_libdir}/lib* $RPM_BUILD_ROOT%{_libdir}/openssl/engines +%make_install +rm -f $RPM_BUILD_ROOT%{enginesdir}/ibmca.la -%post -p /sbin/ldconfig +pushd src +sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd -%postun -p /sbin/ldconfig %files -%doc README INSTALL src/openssl.cnf.sample -%{_mandir}/man5/* -%{_libdir}/openssl/engines/* +%license LICENSE +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%{enginesdir}/ibmca.so +%{_mandir}/man5/ibmca.5* %changelog +* Tue May 05 2020 Patrick Steuer <patrick.steuer@de.ibm.com> 2.1.1 +- Update Version + +* Mon Sep 09 2019 Patrick Steuer <patrick.steuer@de.ibm.com> 2.1.0 +- Update Version + +* Tue Apr 23 2019 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.3 +- Update Version + +* Tue Nov 27 2018 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.2 +- Update Version + +* Thu Nov 08 2018 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.1 +- Update Version + +* Wed Jun 06 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2.0.0 +- Update Version +- Update libica version required for building ibmca + +* Wed Feb 21 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 1.4.1 +- Updated to 1.4.1 + +* Thu Jan 25 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> +- Update engine filename +- Spec cleanup + +* Thu Oct 26 2017 Patrick Steuer <patrick.steuer@de.ibm.com> +- Fix build warning about comma and newlines +- Remove INSTALL file from doc +- Fix README name on doc + * Fri Sep 8 2017 Paulo Vital <pvital@linux.vnet.ibm.com> 1.4.0 - Update new License - Update Source and URL pointing to GitHub
  57. Download patch debian/copyright

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: r-cran-openssl

r-cran-openssl (1.4.2+dfsg-1ubuntu1) groovy; urgency=medium * Merge from Debian unstable, remaining changes: + Disable test_google.R requiring network access -- Graham Inggs <ginggs@ubuntu.com> Fri, 28 Aug 2020 13:43:42 +0000

Modifications :
  1. Download patch debian/control

    --- 1.4.2+dfsg-1/debian/control 2020-07-21 08:23:42.000000000 +0000 +++ 1.4.2+dfsg-1ubuntu1/debian/control 2020-08-28 13:43:42.000000000 +0000 @@ -1,5 +1,6 @@ Source: r-cran-openssl -Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian R Packages Maintainers <r-pkg-team@alioth-lists.debian.net> Uploaders: Andreas Tille <tille@debian.org> Section: gnu-r Testsuite: autopkgtest-pkg-r
  2. Download patch debian/tests/run-unit-test

    --- 1.4.2+dfsg-1/debian/tests/run-unit-test 2020-07-21 08:23:42.000000000 +0000 +++ 1.4.2+dfsg-1ubuntu1/debian/tests/run-unit-test 2020-08-28 13:43:42.000000000 +0000 @@ -8,5 +8,6 @@ if [ "$AUTOPKGTEST_TMP" = "" ] ; then fi cd $AUTOPKGTEST_TMP cp -a /usr/share/doc/${pkg}/tests/* $AUTOPKGTEST_TMP +rm -f testthat/test_google.R LC_ALL=C R --no-save < testthat.R rm -fr $AUTOPKGTEST_TMP/*

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: scanssh

scanssh (2.1-0ubuntu8) focal; urgency=medium * No-change rebuild for libevent soname changes. -- Matthias Klose <doko@ubuntu.com> Sat, 19 Oct 2019 19:58:33 +0000 scanssh (2.1-0ubuntu7) artful; urgency=medium * No-change rebuild against libevent-2.1-6 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 31 Jul 2017 02:52:33 +0000 scanssh (2.1-0ubuntu6) xenial; urgency=medium * debian/compat: Specify compatibility level of 9. * debian/rules: Remove legacy DH_COMPAT export. * debian/control: Build-depend on debhelper (>= 9). -- Logan Rosen <logan@ubuntu.com> Sat, 05 Dec 2015 23:18:57 -0500 scanssh (2.1-0ubuntu5) trusty; urgency=medium * Use autotools-dev to update config.{sub,guess} for new arches. -- Logan Rosen <logan@ubuntu.com> Sun, 29 Dec 2013 22:35:26 -0500 scanssh (2.1-0ubuntu4) oneiric; urgency=low * No change rebuild against new libevent. -- Bhavani Shankar <bhavi@ubuntu.com> Sun, 10 Jul 2011 23:03:32 +0530 scanssh (2.1-0ubuntu3) karmic; urgency=low * No-change rebuild for libevent1 -> libevent-1.4-2 transition. -- Steve Kowalik <stevenk@ubuntu.com> Thu, 16 Jul 2009 15:18:13 +1000 scanssh (2.1-0ubuntu2) gutsy; urgency=low * debian/control: Update maintainer fields according to debian- maintainer-field spec. -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 15 Aug 2007 08:10:01 +0000 scanssh (2.1-0ubuntu1) breezy; urgency=low * New upstream release. -- Daniel T Chen <crimsun@fungus.sh.nu> Fri, 6 May 2005 23:38:07 -0400

Modifications :
  1. Download patch xmalloc.c

    --- 2.0-4.1/xmalloc.c 2001-02-18 01:09:08.000000000 +0000 +++ 2.1-0ubuntu8/xmalloc.c 2004-07-14 04:10:30.000000000 +0000 @@ -14,6 +14,7 @@ #include <sys/types.h> #include <stdlib.h> +#include <stdio.h> #include <err.h> #include <string.h> @@ -27,8 +28,12 @@ xmalloc(size_t size) if (size == 0) err(1,"xmalloc: zero size"); ptr = malloc(size); - if (ptr == NULL) - err(1,"xmalloc: out of memory (allocating %lu bytes)", (u_long) size); + if (ptr == NULL) { + fprintf(stderr, + "xmalloc: out of memory (allocating %lu bytes)", + (u_long) size); + abort(); + } return ptr; }
  2. Download patch config.sub
  3. Download patch config.guess
  4. Download patch http.c

    --- 2.0-4.1/http.c 2004-04-06 07:29:08.000000000 +0000 +++ 2.1-0ubuntu8/http.c 2004-11-05 06:39:14.000000000 +0000 @@ -116,6 +116,10 @@ http_getheaders(struct bufferevent *bev, evbuffer_drain(input, off); } + if ((arg->a_flags & HTTP_GOT_HEADERS) && + !(arg->a_flags & HTTP_GOT_OK)) + return (-1); + return (0); } @@ -233,7 +237,7 @@ http_errorcb(struct bufferevent *bev, sh DFPRINTF((stderr, "%s: called\n", __func__)); - postres(arg, "<error>"); + postres(arg, "<http proxy error>"); scanhost_return(bev, arg, 0); }
  5. Download patch debian/rules

    --- 2.0-4.1/debian/rules 2019-10-24 18:58:08.000000000 +0000 +++ 2.1-0ubuntu8/debian/rules 2019-10-24 18:58:07.000000000 +0000 @@ -5,8 +5,6 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 -# This is the debhelper compatability version to use. - CFLAGS = -Wall -g ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) @@ -18,6 +16,7 @@ endif configure: configure-stamp configure-stamp: dh_testdir + dh_autotools-dev_updateconfig # Add here commands to configure the package. ./configure --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info @@ -41,7 +40,7 @@ clean: # Add here commands to clean up after the build process. -$(MAKE) distclean rm -f config.log - + dh_autotools-dev_restoreconfig dh_clean install: build
  6. Download patch socks.c

    --- 2.0-4.1/socks.c 2004-04-06 07:30:01.000000000 +0000 +++ 2.1-0ubuntu8/socks.c 2004-11-05 06:39:05.000000000 +0000 @@ -333,7 +333,7 @@ socks5_readcb(struct bufferevent *bev, v return; error: - postres(arg, "<error>"); + postres(arg, "<socks5 proxy read error>"); done: scanhost_return(bev, arg, 0); } @@ -371,7 +371,7 @@ socks5_errorcb(struct bufferevent *bev, DFPRINTF((stderr, "%s: called\n", __func__)); - postres(arg, "<error>"); + postres(arg, "<socks5 proxy error>"); scanhost_return(bev, arg, 0); } @@ -399,16 +399,16 @@ socks4_readcb(struct bufferevent *bev, v case SOCKS4_RESP_SUCCESS: break; case SOCKS4_RESP_FAILURE: - postres(arg, "<error: server failure>"); + postres(arg, "<socks4 proxy error: server failure>"); goto done; case SOCKS4_RESP_NOIDENT: - postres(arg, "<error: no ident>"); + postres(arg, "<socks4 proxy error: no ident>"); goto done; case SOCKS4_RESP_BADIDENT: - postres(arg, "<error: bad ident>"); + postres(arg, "<socks4 proxy error: bad ident>"); goto done; default: - postres(arg, "<error: response>"); + postres(arg, "<socks4 proxy error: response>"); goto done; } @@ -429,7 +429,7 @@ socks4_readcb(struct bufferevent *bev, v return; error: - postres(arg, "<error>"); + postres(arg, "<socks4 proxy error>"); done: scanhost_return(bev, arg, 0); } @@ -478,6 +478,6 @@ socks4_errorcb(struct bufferevent *bev, DFPRINTF((stderr, "%s: called\n", __func__)); - postres(arg, "<error>"); + postres(arg, "<socks4 proxy error>"); scanhost_return(bev, arg, 0); }
  7. Download patch debian/control

    --- 2.0-4.1/debian/control 2019-10-24 18:58:08.000000000 +0000 +++ 2.1-0ubuntu8/debian/control 2019-10-24 18:58:07.000000000 +0000 @@ -1,13 +1,14 @@ Source: scanssh Section: net Priority: optional -Maintainer: Rene Weber <rene_debmaint@public.e-mail.elvenlord.com> -Build-Depends: debhelper (>= 9), libpcap0.8-dev, libdumbnet-dev, libevent-dev (>= 0.8-1) -Standards-Version: 3.9.6 +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Rene Weber <rene_debmaint@public.e-mail.elvenlord.com> +Build-Depends: debhelper (>= 9), autotools-dev, libpcap-dev (>= 0.6.1-2), libdumbnet-dev, libevent-dev (>= 0.8-1) +Standards-Version: 3.6.1 Package: scanssh Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: ${shlibs:Depends} Description: get SSH server versions for an entire network The ScanSSH protocol scanner scans a list of addresses and networks for running SSH protocol servers and their version numbers. Version 2.0 adds
  8. Download patch scanssh.c

    --- 2.0-4.1/scanssh.c 2004-04-08 03:16:33.000000000 +0000 +++ 2.1-0ubuntu8/scanssh.c 2004-11-21 08:11:19.000000000 +0000 @@ -54,6 +54,7 @@ #include <pcap.h> #include <unistd.h> #include <md5.h> +#include <stdarg.h> #include <assert.h> #include <event.h> @@ -115,15 +116,18 @@ struct interface *ss_inter; rand_t *ss_rand; ip_t *ss_ip; +/* SOCKS servers via which we can scan */ +struct socksq socks_host; + struct scanner **ss_scanners = NULL; int ss_nscanners = 0; -struct argument *args; -int entries; +struct argument *args; /* global list of addresses */ +int entries; /* number of remaining addresses */ -int ssh_sendident; +int ssh_sendident; /* should we send ident to ssh server? */ -struct port *ss_ports = NULL; +struct port *ss_ports = NULL; /* global list of ports to be scanned */ int ss_nports = 0; int ss_nhosts = 0; /* Number of addresses generated */ @@ -134,6 +138,8 @@ struct timeval syn_start; int syn_rate = 100; int syn_nsent = 0; +int max_scanqueue_size = MAXSCANQUEUESZ; + struct address_slot slots[MAXSLOTS]; #define MAX_PROCESSES 30 @@ -321,11 +327,18 @@ printres(struct argument *exp, uint16_t } void -postres(struct argument *arg, char *result) +postres(struct argument *arg, const char *fmt, ...) { + static char buffer[1024]; + va_list ap; + + va_start(ap, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, ap); + va_end(ap); + if (arg->a_res != NULL) free(arg->a_res); - if ((arg->a_res = strdup(result)) == NULL) + if ((arg->a_res = strdup(buffer)) == NULL) err(1, "%s: strdup", __func__); } @@ -934,9 +947,9 @@ probe_haswork(void) } void -probe_send(int fd, short what, void *arg) +probe_send(int fd, short what, void *parameter) { - struct event *ev = arg; + struct event *ev = parameter; struct timeval tv; int ntotal, nprobes, nsent; extern int scan_nhosts; @@ -980,10 +993,22 @@ probe_send(int fd, short what, void *arg entries--; args[entries].a_retry = 0; - synlist_insert(&args[entries]); - /* On failure, synlist_insert already scheduled a retransmit */ - synlist_probe(&args[entries], args[entries].a_ports[0].port); + if (TAILQ_FIRST(&socks_host) == NULL) { + synlist_insert(&args[entries]); + + /* + * On failure, synlist_insert already scheduled + * a retransmit. + */ + synlist_probe(&args[entries], + args[entries].a_ports[0].port); + } else { + struct argument *arg = &args[entries]; + if (!arg->a_hasports) + ports_setup(arg, arg->a_ports, arg->a_nports); + scanhost_ready(arg); + } nsent++; syn_nsent++; @@ -991,6 +1016,36 @@ probe_send(int fd, short what, void *arg } int +parse_socks_host(char *optarg) +{ + char *host; + while ((host = strsep(&optarg, ",")) != NULL) { + /* + * Parse the address of a SOCKS proxy that we are + * using for all connections. + */ + struct socks_host *single_host; + + char *address = strsep(&host, ":"); + if (host == NULL || *host == '\0') + return (-1); + + single_host = calloc(1, sizeof(struct socks_host)); + if (single_host == NULL) + err(1, "calloc"); + if (addr_pton(address, &single_host->host) == -1) + return (-1); + + if ((single_host->port = atoi(host)) == 0) + return (-1); + + TAILQ_INSERT_TAIL(&socks_host, single_host, next); + } + + return (0); +} + +int main(int argc, char **argv) { struct event ev_send; @@ -1004,8 +1059,10 @@ main(int argc, char **argv) ssh_sendident = 1; + TAILQ_INIT(&socks_host); + name = argv[0]; - while ((ch = getopt(argc, argv, "VIhdps:i:e:n:r:ER")) != -1) + while ((ch = getopt(argc, argv, "VIhdpm:u:s:i:e:n:r:ER")) != -1) switch(ch) { case 'V': fprintf(stderr, "ScanSSH %s\n", VERSION); @@ -1020,7 +1077,20 @@ main(int argc, char **argv) break; case 'p': scanner = "http-proxy,http-connect,socks5,socks4,telnet-proxy,ssh"; - default_ports = "23,22,80,1080,3128,6588,4480,8080,8081,8000,8100,9050"; + default_ports = "23,22,80,81,808,1080,1298,3128,6588,4480,8080,8081,8000,8100,9050"; + break; + case 'm': + max_scanqueue_size = atoi(optarg); + if (max_scanqueue_size == 0) { + usage(name); + exit(1); + } + break; + case 'u': + if (parse_socks_host(optarg) == -1) { + usage(name); + exit(1); + } break; case 's': scanner = optarg; @@ -1092,6 +1162,19 @@ main(int argc, char **argv) err(1, "setrlimit: NOFILE"); } + /* Raising the memory limits */ + rl.rlim_max = RLIM_INFINITY; + rl.rlim_cur = MAXSLOTS * EXPANDEDARGS * sizeof(struct argument) * 2; + if (setrlimit(RLIMIT_DATA, &rl) == -1) { + /* Linux does not seem to like this */ + if (getrlimit(RLIMIT_DATA, &rl) == -1) + err(1, "getrlimit: DATA"); + rl.rlim_cur = rl.rlim_max; + if (setrlimit(RLIMIT_DATA, &rl) == -1) + err(1, "setrlimit: DATA"); + } + + /* revoke privs */ #ifdef HAVE_SETEUID seteuid(getuid());
  9. Download patch scanssh.h

    --- 2.0-4.1/scanssh.h 2004-04-06 07:28:37.000000000 +0000 +++ 2.1-0ubuntu8/scanssh.h 2004-11-21 08:08:34.000000000 +0000 @@ -47,6 +47,14 @@ #define FLAGS_USERANDOM 0x01 #define FLAGS_SUBTRACTEXCLUDE 0x02 +struct socks_host { + TAILQ_ENTRY(socks_host) next; + struct addr host; + uint16_t port; +}; + +TAILQ_HEAD(socksq, socks_host); + struct argument; struct address_slot { @@ -122,7 +130,7 @@ int ipv4toa(char *, size_t, void *); void waitforcommands(int, int); void argument_free(struct argument *); -void postres(struct argument *, char *); +void postres(struct argument *, const char *fmt, ...); void printres(struct argument *, uint16_t, char *); int probe_haswork(void);
  10. Download patch connecter.c
  11. Download patch configure
  12. Download patch scanssh.1

    --- 2.0-4.1/scanssh.1 2004-04-07 21:22:24.000000000 +0000 +++ 2.1-0ubuntu8/scanssh.1 2004-10-03 04:09:03.000000000 +0000 @@ -40,6 +40,7 @@ .Op Fl VIERph .Op Fl s Ar scanners,... .Op Fl n Ar ports,... +.Op Fl u Ar socks hosts,... .Op Fl e Ar excludefile .Ar addresses... .Sh DESCRIPTION @@ -109,6 +110,10 @@ Specifies the port numbers to scan. Ports are separated by commas. Each specified scanner is run for each port in this list. The default is 22. +.It Fl u Ar socks hosts,... +A list of comma separated host:port pairs of SOCKS proxies that +.Nm +should use to scan through. .It Fl s Ar scanners Specifies a number of scanners should be executed for each open port. Multiple scanners are separated by commas.
  13. Download patch configure.in

    --- 2.0-4.1/configure.in 2004-04-08 03:15:26.000000000 +0000 +++ 2.1-0ubuntu8/configure.in 2005-03-05 19:21:27.000000000 +0000 @@ -2,9 +2,14 @@ dnl Process this file with autoconf to p AC_INIT(scanssh) AC_CONFIG_SRCDIR(scanssh.c) -AM_INIT_AUTOMAKE(scanssh, 2.0) +AM_INIT_AUTOMAKE(scanssh, 2.1) AM_CONFIG_HEADER(config.h) +dnl Check for system type. +dnl XXX - we do this to qualify our later feature checks, since some +dnl systems claim to support multiple features, but are quite b0rked. +AC_CANONICAL_HOST + dnl Initialize prefix. if test "$prefix" = "NONE"; then prefix="/usr/local" @@ -18,6 +23,47 @@ dnl XXX - Solaris sux. AC_CHECK_LIB(socket, socket) AC_CHECK_LIB(nsl, gethostbyname) +dnl XXX - we need WinPcap developer's pack under Cygwin for win32 +AC_CYGWIN +if test "$CYGWIN" = yes ; then + if test -d /usr/include/mingw ; then + CPPFLAGS="$CPPFLAGS -mno-cygwin" + CFLAGS="$CFLAGS -mno-cygwin" + AC_DEFINE(WIN32_LEAN_AND_MEAN, 1, + [Define for faster code generation.]) + AC_CHECK_LIB(ws2_32, main) + AC_CHECK_LIB(iphlpapi, main) + AC_DEFINE(snprintf, _snprintf, + [Use MingW32's internal snprintf]) + else + AC_MSG_ERROR([need MingW32 package to build under Cygwin]) + fi + AC_MSG_CHECKING(for WinPcap developer's pack) + AC_ARG_WITH(wpdpack, + [ --with-wpdpack=DIR use WinPcap developer's pack in DIR], + [ AC_MSG_RESULT($withval) + if test -f $withval/include/packet32.h -a -f $withval/lib/packet.a; then + owd=`pwd` + if cd $withval; then withval=`pwd`; cd $owd; fi + CFLAGS="$CFLAGS -I$withval/include" + LIBS="$LIBS -L$withval/lib -lpacket" + else + AC_MSG_ERROR(packet32.h or packet.a not found in $withval) + fi ], + [ for dir in ${prefix} ${HOME}/WPdpack ; do + if test -f ${dir}/include/packet32.h -a -f ${dir}/lib/packet.a; then + CFLAGS="$CFLAGS -I${dir}/include" + LIBS="$LIBS -L${dir}/lib -lpacket" + have_pcap=yes + break; + fi + done + if test "$have_pcap" != yes; then + AC_MSG_ERROR(WinPcap developer's pack not found) + fi + AC_MSG_RESULT(yes) ]) +fi + dnl Checks for libraries. AC_REPLACE_FUNCS(inet_aton inet_pton strsep getaddrinfo getnameinfo strlcpy strlcat arc4random) needmd5=no @@ -142,9 +188,7 @@ main(int argc, char **argv) addr_pton("0.0.0.0/0", &a1); exit(a1.addr_bits != 0); -}, AC_MSG_RESULT(yes), [ - AC_WARNING([your version of libdnet is buggy; working around it]) -], AC_MSG_RESULT(yes)) +}, AC_MSG_RESULT(yes), AC_WARNING(your version of libdnet is buggy - working around it), AC_MSG_RESULT(yes)) dnl Checks for libevent AC_MSG_CHECKING(for libevent)
  14. Download patch README

    --- 2.0-4.1/README 2004-04-08 01:59:44.000000000 +0000 +++ 2.1-0ubuntu8/README 2004-04-08 03:22:43.000000000 +0000 @@ -30,6 +30,11 @@ To build, should make you happy. +ACKNOWLEDGEMENTS +---------------- + +Thanks to Marius Eriksen for release testing. + -- Niels Provos <provos@citi.umich.edu> http://www.citi.umich.edu/u/provos
  15. Download patch telnet.c

    --- 2.0-4.1/telnet.c 2004-04-06 07:29:18.000000000 +0000 +++ 2.1-0ubuntu8/telnet.c 2004-11-05 06:39:20.000000000 +0000 @@ -156,7 +156,7 @@ telnet_errorcb(struct bufferevent *bev, DFPRINTF((stderr, "%s: called\n", __func__)); - postres(arg, "<error>"); + postres(arg, "<telnet proxy error>"); scanhost_return(bev, arg, 0); }
  16. Download patch TODO

    --- 2.0-4.1/TODO 1970-01-01 00:00:00.000000000 +0000 +++ 2.1-0ubuntu8/TODO 2004-12-18 19:57:40.000000000 +0000 @@ -0,0 +1,2 @@ +218.5.61.202:23 +CCProxy Telnet>CCProxy Telnet Service Ready.
  17. Download patch config.h.in

    --- 2.0-4.1/config.h.in 2004-03-31 07:33:18.000000000 +0000 +++ 2.1-0ubuntu8/config.h.in 2005-03-05 19:28:42.000000000 +0000 @@ -88,12 +88,18 @@ /* Define if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H +/* Define if you have the `iphlpapi' library (-liphlpapi). */ +#undef HAVE_LIBIPHLPAPI + /* Define if you have the `nsl' library (-lnsl). */ #undef HAVE_LIBNSL /* Define if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET +/* Define if you have the `ws2_32' library (-lws2_32). */ +#undef HAVE_LIBWS2_32 + /* Define if you have the `MD5Update' function. */ #undef HAVE_MD5UPDATE @@ -178,12 +184,18 @@ /* Version number of package */ #undef VERSION +/* Define for faster code generation. */ +#undef WIN32_LEAN_AND_MEAN + /* Define to `int' if <sys/types.h> does not define. */ #undef pid_t /* Define to `unsigned' if <sys/types.h> does not define. */ #undef size_t +/* Use MingW32's internal snprintf */ +#undef snprintf + /* Define to `unsigned short' if <sys/types.h> does not define. */ #undef u_int16_t
  18. Download patch Makefile.in

    --- 2.0-4.1/Makefile.in 2004-04-08 03:18:10.000000000 +0000 +++ 2.1-0ubuntu8/Makefile.in 2005-03-05 19:28:31.000000000 +0000 @@ -57,6 +57,8 @@ POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : +host_alias = @host_alias@ +host_triplet = @host@ CC = @CC@ DNETCOMPAT = @DNETCOMPAT@ DNETINC = @DNETINC@ @@ -110,10 +112,11 @@ man1dir = $(mandir)/man1 MANS = $(man_MANS) NROFF = nroff -DIST_COMMON = README ./stamp-h.in Makefile.am Makefile.in acconfig.h \ -aclocal.m4 arc4random.c config.h.in configure configure.in \ -getaddrinfo.c getnameinfo.c inet_aton.c inet_pton.c install-sh missing \ -mkinstalldirs strlcat.c strlcpy.c strsep.c +DIST_COMMON = README ./stamp-h.in Makefile.am Makefile.in TODO \ +acconfig.h aclocal.m4 arc4random.c config.guess config.h.in config.sub \ +configure configure.in getaddrinfo.c getnameinfo.c inet_aton.c \ +inet_pton.c install-sh missing mkinstalldirs strlcat.c strlcpy.c \ +strsep.c DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
  1. jansson
  2. kdnssd-kf5
  3. libnss-ldap
  4. libnss-nis
  5. libnss-nisplus
  6. lxqt-openssh-askpass
  7. nss
  8. nss-pem
  9. nss-wrapper
  10. nsscache
  11. opendnssec
  12. openssl
  13. openssl-ibmca
  14. r-cran-openssl
  15. scanssh