Version in base suite: 0.9.8g-15+lenny3
Version in overlay suite: (not present)

Base version: openssl_0.9.8g-15+lenny3
Target version: openssl_0.9.8g-15+lenny5
Base file: /org/ftp.debian.org/ftp/pool/main/o/openssl/openssl_0.9.8g-15+lenny3.dsc
Target file: /org/ftp.debian.org/queue/p-u-new/openssl_0.9.8g-15+lenny5.dsc

 crypto/evp/c_alld.c             |    3 ---
 crypto/x509/x509_vfy.c          |   13 +++++--------
 openssl-0.9.8g/debian/changelog |   13 +++++++++++++
 ssl/ssl_algs.c                  |    3 ---
 4 files changed, 18 insertions(+), 14 deletions(-)

diff -u openssl-0.9.8g/debian/changelog openssl-0.9.8g/debian/changelog
--- openssl-0.9.8g/debian/changelog
+++ openssl-0.9.8g/debian/changelog
@@ -1,3 +1,16 @@
+openssl (0.9.8g-15+lenny5) stable-security; urgency=low
+
+  * Don't check self signed certificate signatures in X509_verify_cert()
+    (Closes: #541735)
+
+ -- Kurt Roeckx <kurt@roeckx.be>  Fri, 11 Sep 2009 17:00:05 +0200
+
+openssl (0.9.8g-15+lenny4) stable-security; urgency=low
+
+  * Remove MD2 from digest algorithm table.  (CVE-2009-2409) (Closes: #539899)
+
+ -- Kurt Roeckx <kurt@roeckx.be>  Tue, 11 Aug 2009 22:48:02 +0200
+
 openssl (0.9.8g-15+lenny3) stable-security; urgency=low
 
   * Fix DoS via a DTLS ChangeCipherSpec packet that occurs before ClientHello
only in patch2:
unchanged:
--- openssl-0.9.8g.orig/ssl/ssl_algs.c
+++ openssl-0.9.8g/ssl/ssl_algs.c
@@ -92,9 +92,6 @@
 	EVP_add_cipher(EVP_seed_cbc());
 #endif
 
-#ifndef OPENSSL_NO_MD2
-	EVP_add_digest(EVP_md2());
-#endif
 #ifndef OPENSSL_NO_MD5
 	EVP_add_digest(EVP_md5());
 	EVP_add_digest_alias(SN_md5,"ssl2-md5");
only in patch2:
unchanged:
--- openssl-0.9.8g.orig/crypto/x509/x509_vfy.c
+++ openssl-0.9.8g/crypto/x509/x509_vfy.c
@@ -982,7 +982,11 @@
 	while (n >= 0)
 		{
 		ctx->error_depth=n;
-		if (!xs->valid)
+
+		/* Skip signature check for self signed certificates. It
+		 * doesn't add any security and just wastes time.
+		 */
+		if (!xs->valid && xs != xi)
 			{
 			if ((pkey=X509_get_pubkey(xi)) == NULL)
 				{
@@ -992,13 +996,6 @@
 				if (!ok) goto end;
 				}
 			else if (X509_verify(xs,pkey) <= 0)
-				/* XXX  For the final trusted self-signed cert,
-				 * this is a waste of time.  That check should
-				 * optional so that e.g. 'openssl x509' can be
-				 * used to detect invalid self-signatures, but
-				 * we don't verify again and again in SSL
-				 * handshakes and the like once the cert has
-				 * been declared trusted. */
 				{
 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
 				ctx->current_cert=xs;
only in patch2:
unchanged:
--- openssl-0.9.8g.orig/crypto/evp/c_alld.c
+++ openssl-0.9.8g/crypto/evp/c_alld.c
@@ -64,9 +64,6 @@
 
 void OpenSSL_add_all_digests(void)
 	{
-#ifndef OPENSSL_NO_MD2
-	EVP_add_digest(EVP_md2());
-#endif
 #ifndef OPENSSL_NO_MD4
 	EVP_add_digest(EVP_md4());
 #endif