Ubuntu
openssl package

Outdate version check for restart in libssl3.postinst

Bug #1999139 reported by Adrien Nader
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Our version of libssl3.postinst compares the installed version to "1.1.1-1ubuntu2.1~18.04.2" (moreover the test is done twice) which is unlikely to be what we want nowadays.

The version needs to be updated and since we have been carrying this as a delta from Debian, it would be a good idea to ensure the behaviour still matches what we currently want.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 3.0.7-1ubuntu1

---------------
openssl (3.0.7-1ubuntu1) lunar; urgency=medium

  * Merge 3.0.7 from Debian unstable (LP: #1998942)
    - Drop patches merged upstream:
      + CVE-2022-3358.patch
      + CVE-2022-3602-1.patch
      + CVE-2022-3602-2.patch
    - Shrink patch since upstream fixed some tests in the patch above:
      + tests-use-seclevel-1.patch
    - Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded:
      + Set-systemwide-default-settings-for-libssl-users.patch
    - Drop Debian patch not needed anymore:
      + TEST-Provide-a-default-openssl.cnf-for-tests.patch
    - Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu:
      + tls1.2-min-seclevel2.patch
    - Remaining changes:
      + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to
        openssl
      + d/libssl3.postinst: Revert Debian deletion
        - Skip services restart & reboot notification if needrestart is in-use.
        - Bump version check to 1.1.1 (bug opened as LP: #1999139)
        - Use a different priority for libssl1.1/restart-services depending
          on whether a desktop, or server dist-upgrade is being performed.
        - Import libraries/restart-without-asking template as used by above.
      + Add support for building with noudeb build profile.
      + Use perl:native in the autopkgtest for installability on i386.
  * Correct comment as to which TLS version is disabled with our seclevel:
    - skip_tls1.1_seclevel3_tests.patch

  [Sebastian Andrzej Siewior]
  * CVE-2022-3996 (X.509 Policy Constraints Double Locking).

openssl (3.0.7-1) unstable; urgency=medium

  * Import 3.0.7
    - Using a Custom Cipher with NID_undef may lead to NULL encryption
      (CVE-2022-3358) (Closes: #1021620).
    - X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602).
    - X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786).
  * Disable rdrand engine (the opcode on x86).
  * Remove config bits for MIPS R6, the generic MIPS config can be used.

openssl (3.0.5-4) unstable; urgency=medium

  * Add ssl_conf() serialisation (Closes: #1020308).

openssl (3.0.5-3) unstable; urgency=medium

  * Add cert.pem symlink pointing to ca-certificates' ca-certificates.crt
   (Closes: #805646).
  * Compile with OPENSSL_TLS_SECURITY_LEVEL=2 (Closes: #918727).

 -- Adrien Nader <email address hidden> Tue, 06 Dec 2022 15:11:40 +0100

Changed in openssl (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.