openssl: merge 3.0.5-2 from Debian unstable
Bug #1987047 reported by
Simon Chopin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
High
|
Simon Chopin |
Bug Description
We need to merge the new version from Debian, notably because of CVE-2022-2097 (the other security issue already being fixed as a cherry-picked patch)
Changed in openssl (Ubuntu): | |
status: | Confirmed → In Progress |
To post a comment you must log in.
This bug was fixed in the package openssl - 3.0.5-2ubuntu1
---------------
openssl (3.0.5-2ubuntu1) kinetic; urgency=low
* Merge from Debian unstable (LP: #1987047). Remaining changes: 1/restart- services depending restart- without- asking template as used by above. TLS_SECURITY_ LEVEL=2 as compiled-in minimum security set_security_ level() , SSL_set_ security_ level() or tls1.1_ seclevel3_ tests.patch: new Ubuntu-specific patch for the systemwide- default- settings- for-libssl- users: partially apply it avx512- overflow. patch: Cherry-picked from upstream to fix a 3.0.4
- Replace duplicate files in the doc directory with symlinks.
- d/libssl3.postinst: Revert Debian deletion
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Use a different priority for libssl1.
on whether a desktop, or server dist-upgrade is being performed.
+ Import libraries/
- Add support for building with noudeb build profile.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Set OPENSSL_
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Use perl:native in the autopkgtest for installability on i386.
- d/p/skip_
testsuite
- d/p/Set-
on Ubuntu to make it easier for user to change security level
* Dropped changes, merged upstream:
- d/p/fix-
regression on AVX-512 capable CPUs.
* Revert the provider removal from the default configuration, following
discussions on LP: #1979639
openssl (3.0.5-2) unstable; urgency=medium
* Update to commit ce3951fc30c7b ("VC++ 2008 or earlier x86 compilers…")
(Closes: #1016290).
openssl (3.0.5-1) unstable; urgency=medium
* Import 3.0.5
- Possible module_list_lock crash (Closes: #1013309).
- CVE-2022-2097 (AES OCB fails to encrypt some bytes).
* Update to 55461bf22a57a ("Don't try to make configuration leaner")
* Use -latomic on arc,nios2 and sparc (Closes: #1015792).
openssl (3.0.4-2) unstable; urgency=medium
* Address a AVX2 related memory corruption (Closes: #1013441) 2022-2274) .
(CVE-
-- Simon Chopin <email address hidden> Fri, 19 Aug 2022 10:05:04 +0200