Ubuntu
openssl package

openssl: merge 3.0.5-2 from Debian unstable

Bug #1987047 reported by Simon Chopin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
High
Simon Chopin

Bug Description

We need to merge the new version from Debian, notably because of CVE-2022-2097 (the other security issue already being fixed as a cherry-picked patch)

CVE References

Simon Chopin (schopin)
Changed in openssl (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 3.0.5-2ubuntu1

---------------
openssl (3.0.5-2ubuntu1) kinetic; urgency=low

  * Merge from Debian unstable (LP: #1987047). Remaining changes:
    - Replace duplicate files in the doc directory with symlinks.
    - d/libssl3.postinst: Revert Debian deletion
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Import libraries/restart-without-asking template as used by above.
    - Add support for building with noudeb build profile.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Use perl:native in the autopkgtest for installability on i386.
    - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the
      testsuite
    - d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it
      on Ubuntu to make it easier for user to change security level
  * Dropped changes, merged upstream:
    - d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4
      regression on AVX-512 capable CPUs.
  * Revert the provider removal from the default configuration, following
    discussions on LP: #1979639

openssl (3.0.5-2) unstable; urgency=medium

  * Update to commit ce3951fc30c7b ("VC++ 2008 or earlier x86 compilers…")
    (Closes: #1016290).

openssl (3.0.5-1) unstable; urgency=medium

  * Import 3.0.5
    - Possible module_list_lock crash (Closes: #1013309).
    - CVE-2022-2097 (AES OCB fails to encrypt some bytes).
  * Update to 55461bf22a57a ("Don't try to make configuration leaner")
  * Use -latomic on arc,nios2 and sparc (Closes: #1015792).

openssl (3.0.4-2) unstable; urgency=medium

  * Address a AVX2 related memory corruption (Closes: #1013441)
    (CVE-2022-2274).

 -- Simon Chopin <email address hidden> Fri, 19 Aug 2022 10:05:04 +0200

Changed in openssl (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.