Changelog for openssl-0.9.7e-8tr.i586.rpm :
Fri Sep 29 14:00:00 2006 Nived Gopalan 0.9.7e-8tr
- SECURITY Fix: Dr. S. N. Henson has discovered vulnerabilities in
OpenSSL which could be exploited by attackers to cause denial of
- During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory.
- Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack.
- Tavis Ormandy and Will Drewry of the Google Security Team has
discovered the following two vulnerabilities in OpenSSL :
- Fix buffer overflow in SSL_get_shared_ciphers() utility function
which could allow an attacker to send a list of ciphers to an
application that uses it and overrun a buffer.
- A flaw in the SSLv2 client code was discovered. When a client
application used OpenSSL to create an SSLv2 connection to a
malicious server, that server could cause the client to crash.

The Common Vulnerabilities and Exposures project ( has
assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738
and CVE-2006-4343 to these issues.

Wed Sep 6 14:00:00 2006 Bipin S 0.9.7e-7tr
- New Upstream.
- SECURITY FIX: A vulnerability has been identified which could be exploited
by attackers to bypass security restrictions. This flaw is due to an error
when handling and verifying RSA keys with exponent 3, which could be
exploited by attackers to forge PKCS #1 v1.5 signatures and bypass
security verifications.

The Common Vulnerabilities and Exposures project ( has
assigned the name CVE-2006-4339.

Wed Oct 12 14:00:00 2005 Ajith Thampi 0.9.7e-6tr
- SECURITY Fix: Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the countermeasure
against man-in-the-middle protocol-version rollback in the SSL 2.0 server
implementation, which is a bad idea.

The Common Vulnerabilities and Exposures project ( has
assigned the name CVE-2005-2969

Thu Jun 9 14:00:00 2005 Syed Shabir Zakiullah 0.9.7e-5tr
- Security Fix: Colin Percival reported a cache timing attack that could be used to
allow a malicious local user to gain portions of cryptographic keys. The OpenSSL
library has been patched to add a new fixed-window mod_exp implementation as
default for RSA, DSA, and DH private key operations. The patch was designed to
mitigate cache timing and possibly related attacks.

The Common Vulnerabilities and Exposures project ( has
assigned the name CAN-2005-0109 to this issue.

Tue Nov 9 13:00:00 2004 Oystein Viggen 0.9.7e-4tr
- Rebuild with correct permissions

Tue Nov 9 13:00:00 2004 Oystein Viggen 0.9.7e-3tr
- Fix symlink problems for .so in devel package

Thu Nov 4 13:00:00 2004 Oystein Viggen 0.9.7e-2tr
- Remove der_chop

Thu Oct 28 14:00:00 2004 Erlend Midttun 0.9.7e-1tr
- New upstream.

Thu Sep 9 14:00:00 2004 Erlend Midttun 0.9.7d-1tr
- New upstream.

Tue Jun 22 14:00:00 2004 Chr. Toldnes 0.9.7c-13tr
- Merge changes from 0.9.7c-11tr

Wed Jun 2 14:00:00 2004 Chr. Toldnes 0.9.7c-12tr
- Take a step back.

Tue Mar 16 13:00:00 2004 Oystein Viggen 0.9.7c-5tr
- Patch two potential DoS holes:
CAN-2004-0079, CAN-2004-0112

Wed Nov 26 13:00:00 2003 Erlend Midttun 0.9.7c-2tr
- Big rebuild

Tue Sep 30 14:00:00 2003 Chr. Toldnes 0.9.7c-1tsl
- upstrema security fixes

Mon Jun 23 14:00:00 2003 Erlend Midttun 0.9.7b-3tr
- Added %defattr.

Wed Jun 18 14:00:00 2003 Erlend Midttun 0.9.7b-2tr
- Big rebuild

Fri May 23 14:00:00 2003 Erlend Midttun 0.9.7b-1em
- New upstream.

Mon Mar 24 13:00:00 2003 Erlend Midttun 0.9.7a-4em
- Rebuilt against glibc 2.3.2.

Thu Mar 20 13:00:00 2003 Erlend Midttun 0.9.7a-3em
- Apply patch against the blinding attack known as CAN-2003-0147
- Apply patch against the Klima-Pokorny-Rose attack. CAN-2003-131

Thu Feb 27 13:00:00 2003 Erlend Midttun 0.9.7a-2em
- Make setup quiet.

Thu Feb 20 13:00:00 2003 Christian H. Toldnes 0.9.7a-1ct
- Upstream securityfix
- move
*.so to devel
- finally openssl seems backwards compatible between 0.9.7 and 0.9.7{a-z}

Thu Feb 13 13:00:00 2003 Erlend Midttun 0.9.7-3em
- Fix include of non-exported file e_os.h

Wed Jan 29 13:00:00 2003 Goetz Bock 0.9.7-2bg
- added patch to use perl from /usr/bin/perl (patch2)
- renamed passwd to passwd_openssl (patch3), as shadow-utils
provides passwd
- removed MD5.3 manpage, as it conflicts with perl
- removed doc/
* from %doc, as all the files are included as man pages

Thu Jan 16 13:00:00 2003 Gerald Dachs 0.9.7-1gd
- new upstream version (bug 16)
- swig 1.3.17
- m2crypto 0.09
- changed target cpu
- rsaref disappeared, removed files
- changed types for python extension (Patch 1)
- removed c++ patch

Tue Dec 24 13:00:00 2002 Gerald Dachs 0.9.6h-1gd
- new upstream version

Wed Sep 18 14:00:00 2002 Roland Kruse 0.9.6g-3rk
- Small patch to make des.h usable with C++ (Patch0)

Fri Sep 13 14:00:00 2002 Erlend Midttun
- Added BuildReq python-devel
- Changed include to remove -I.../openssl

Mon Aug 12 14:00:00 2002 Christian H. Toldnes 0.9.6g-1ct
- New upstream version fixes many security issues.

Wed Jul 10 14:00:00 2002 Christian H. Toldnes 0.9.6d-2ct
- Added Provides:,, ect <-- ugly, must fix this later.
- License: BSD-like

Fri May 31 14:00:00 2002 Christian H. Toldnes
- Update: openssl-0.9.6d, swig-1.3.6, m2crypto_0.07-snap3

Wed Jul 11 14:00:00 2001 Oystein Viggen
- Patch a security hole in the prng

Mon Jun 25 14:00:00 2001 Oystein Viggen
- Split off a -support package to remove perl dependancy from main package

Thu Jun 7 14:00:00 2001 Erlend Midttun
- Added a few patches to fix a few issues with 0.9.6. Would upgrade
to 0.9.6a, but that seem to break a load of packages. Patches are
from Engarde, not sure where they got them.

Wed Mar 7 13:00:00 2001 Alexander Reelsen
- Moved files completely out of openssl-devel

Fri Feb 9 13:00:00 2001 Olaf Trygve Berglihn
- Added openssl-python - the python M2Crypto bindings.

Wed Nov 22 13:00:00 2000 Erlend Midttun
- Updated to 0.9.6

Mon Sep 4 14:00:00 2000 Per Ivar Paulsen
- Fixed man bug. openssl.cnf path fix.

Thu May 18 14:00:00 2000 Erlend Midttun
- Updated to version 0.9.5a

Thu Mar 2 13:00:00 2000 Lars Gaarden
- moved openssl.cnf back to /etc/ssl

Thu Feb 3 13:00:00 2000 Tore Olsen
- updated to 0.9.4

Thu Jun 3 14:00:00 1999 Greg LaPolla
- Added shared lib copy stuff

Tue Jun 1 14:00:00 1999 Greg LaPolla
- Created SPEC and patches specific to rh6