Change log for openssl package in Ubuntu
1 → 75 of 479 results | First • Previous • Next • Last |
Published in oracular-release |
Published in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
openssl (3.0.13-0ubuntu3) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 06:42:03 +0000
Available diffs
- diff from 3.0.13-0ubuntu2 to 3.0.13-0ubuntu3 (310 bytes)
openssl (3.0.13-0ubuntu2) noble; urgency=medium [ Tobias Heider ] * Add fips-mode detection and adjust defaults when running in fips mode (LP: #2056593): - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: Detect if kernel fips mode is enabled - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: Load FIPS provider if running in FIPS mode - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Limit openssl-speed to FIPS compliant algorithms when running in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch Make sure DRBG respects query properties - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: Make sure encoding runs with correct library context and provider [ Adrien Nader ] * Re-enable intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch (LP: #2030784) Thanks Bun K Tan and Dan Zimmerman * Disable LTO with which the codebase is generally incompatible (LP: #2058017) -- Adrien Nader <email address hidden> Fri, 15 Mar 2024 09:46:33 +0100
Available diffs
- diff from 3.0.10-1ubuntu4 to 3.0.13-0ubuntu2 (162.6 KiB)
- diff from 3.0.13-0ubuntu1 to 3.0.13-0ubuntu2 (10.7 KiB)
Superseded in noble-proposed |
openssl (3.0.13-0ubuntu1) noble; urgency=medium * Import 3.0.13 - Drop security patches : + CVE-2023-5363-1.patch + CVE-2023-5363-2.patch + CVE-2023-5678.patch + CVE-2023-6129.patch + CVE-2023-6237.patch + CVE-2024-0727.patch - Skip intel/0002-AES-GCM-enabled-with-AVX512-vAES-and-vPCLMULQDQ.patch as it causes testsuite failures. -- Adrien Nader <email address hidden> Fri, 08 Mar 2024 10:47:35 +0100
Available diffs
- diff from 3.0.10-1ubuntu5 to 3.0.13-0ubuntu1 (152.3 KiB)
Superseded in noble-proposed |
openssl (3.0.10-1ubuntu5) noble; urgency=medium * Rename libraries for 64-bit time_t transition. Closes: #1064264 -- Steve Langasek <email address hidden> Sun, 03 Mar 2024 20:47:45 -0800
Available diffs
openssl (1.1.1f-1ubuntu2.22) focal-security; urgency=medium * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090) - debian/patches/openssl-1.1.1-pkcs1-implicit-rejection.patch: Return deterministic random output instead of an error in case there is a padding error in crypto/cms/cms_env.c, crypto/pkcs7/pk7_doit.c, crypto/rsa/rsa_local.h, crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c, crypto/rsa/rsa_pmeth.c, doc/man1/pkeyutl.pod, doc/man1/rsautl.pod, doc/man3/EVP_PKEY_CTX_ctrl.pod, doc/man3/EVP_PKEY_decrypt.pod, doc/man3/RSA_padding_add_PKCS1_type_1.pod, doc/man3/RSA_public_encrypt.pod, include/openssl/rsa.h and test/recipes/30-test_evp_data/evppkey.txt. -- David Fernandez Gonzalez <email address hidden> Fri, 16 Feb 2024 16:41:31 +0100
Available diffs
openssl (3.0.10-1ubuntu2.3) mantic-security; urgency=medium * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090) - debian/patches/openssl-pkcs1-implicit-rejection.patch: Return deterministic random output instead of an error in case there is a padding error in crypto/cms/cms_env.c, crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c, crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c, crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in, doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod, doc/man3/EVP_PKEY_decrypt.pod, doc/man3/RSA_padding_add_PKCS1_type_1.pod, doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod, include/crypto/rsa.h, include/openssl/core_names.h, include/openssl/rsa.h, providers/implementations/asymciphers/rsa_enc.c and test/recipes/30-test_evp_data/evppkey_rsa_common.txt. -- David Fernandez Gonzalez <email address hidden> Wed, 21 Feb 2024 11:45:39 +0100
Available diffs
openssl (3.0.2-0ubuntu1.15) jammy-security; urgency=medium * SECURITY UPDATE: Implicit rejection for RSA PKCS#1 (LP: #2054090) - debian/patches/openssl-pkcs1-implicit-rejection.patch: Return deterministic random output instead of an error in case there is a padding error in crypto/cms/cms_env.c, crypto/evp/ctrl_params_translate.c, crypto/pkcs7/pk7_doit.c, crypto/rsa/rsa_ossl.c, crypto/rsa/rsa_pk1.c, crypto/rsa/rsa_pmeth.c, doc/man1/openssl-pkeyutl.pod.in, doc/man1/openssl-rsautl.pod.in, doc/man3/EVP_PKEY_CTX_ctrl.pod, doc/man3/EVP_PKEY_decrypt.pod, doc/man3/RSA_padding_add_PKCS1_type_1.pod, doc/man3/RSA_public_encrypt.pod, doc/man7/provider-asym_cipher.pod, include/crypto/rsa.h, include/openssl/core_names.h, include/openssl/rsa.h, providers/implementations/asymciphers/rsa_enc.c and test/recipes/30-test_evp_data/evppkey_rsa_common.txt. -- David Fernandez Gonzalez <email address hidden> Fri, 16 Feb 2024 09:51:30 +0100
Available diffs
openssl (3.0.2-0ubuntu1.14) jammy-security; urgency=medium * SECURITY UPDATE: Excessive time spent in DH check / generation with large Q parameter value - debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and DH_generate_key() safer yet in crypto/dh/dh_check.c, crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt, include/crypto/dherr.h, include/openssl/dh.h, include/openssl/dherr.h. - CVE-2023-5678 * SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers on PowerPC - debian/patches/CVE-2023-6129.patch: fix vector register clobbering in crypto/poly1305/asm/poly1305-ppc.pl. - CVE-2023-6129 * SECURITY UPDATE: Excessive time spent checking invalid RSA public keys - debian/patches/CVE-2023-6237.patch: limit the execution time of RSA public key check in crypto/rsa/rsa_sp800_56b_check.c, test/recipes/91-test_pkey_check.t, test/recipes/91-test_pkey_check_data/rsapub_17k.pem. - CVE-2023-6237 * SECURITY UPDATE: PKCS12 Decoding crashes - debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo data can be NULL in crypto/pkcs12/p12_add.c, crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c, crypto/pkcs7/pk7_mime.c. - CVE-2024-0727 -- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 13:43:23 -0500
Available diffs
- diff from 3.0.2-0ubuntu1.13 (in Ubuntu) to 3.0.2-0ubuntu1.14 (9.1 KiB)
- diff from 3.0.2-0ubuntu1.12 (in ~ubuntu-security/ubuntu/ppa) to 3.0.2-0ubuntu1.14 (22.3 KiB)
- diff from 3.0.2-0ubuntu1.11 to 3.0.2-0ubuntu1.14 (pending)
openssl (1.1.1f-1ubuntu2.21) focal-security; urgency=medium * SECURITY UPDATE: Excessive time spent in DH check / generation with large Q parameter value - debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and DH_generate_key() safer yet in crypto/dh/dh_check.c, crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt, include/openssl/dh.h, include/openssl/dherr.h. - CVE-2023-5678 * SECURITY UPDATE: PKCS12 Decoding crashes - debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo data can be NULL in crypto/pkcs12/p12_add.c, crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c, crypto/pkcs7/pk7_mime.c. - CVE-2024-0727 -- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 15:45:27 -0500
Available diffs
openssl (3.0.10-1ubuntu2.2) mantic-security; urgency=medium * SECURITY UPDATE: Excessive time spent in DH check / generation with large Q parameter value - debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and DH_generate_key() safer yet in crypto/dh/dh_check.c, crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt, include/crypto/dherr.h, include/openssl/dh.h, include/openssl/dherr.h. - CVE-2023-5678 * SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers on PowerPC - debian/patches/CVE-2023-6129.patch: fix vector register clobbering in crypto/poly1305/asm/poly1305-ppc.pl. - CVE-2023-6129 * SECURITY UPDATE: Excessive time spent checking invalid RSA public keys - debian/patches/CVE-2023-6237.patch: limit the execution time of RSA public key check in crypto/rsa/rsa_sp800_56b_check.c, test/recipes/91-test_pkey_check.t, test/recipes/91-test_pkey_check_data/rsapub_17k.pem. - CVE-2023-6237 * SECURITY UPDATE: PKCS12 Decoding crashes - debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo data can be NULL in crypto/pkcs12/p12_add.c, crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c, crypto/pkcs7/pk7_mime.c. - CVE-2024-0727 -- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 13:03:16 -0500
Available diffs
Deleted in noble-updates (Reason: superseded by release) |
Superseded in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
openssl (3.0.10-1ubuntu4) noble; urgency=medium * SECURITY UPDATE: Excessive time spent in DH check / generation with large Q parameter value - debian/patches/CVE-2023-5678.patch: make DH_check_pub_key() and DH_generate_key() safer yet in crypto/dh/dh_check.c, crypto/dh/dh_err.c, crypto/dh/dh_key.c, crypto/err/openssl.txt, include/crypto/dherr.h, include/openssl/dh.h, include/openssl/dherr.h. - CVE-2023-5678 * SECURITY UPDATE: POLY1305 MAC implementation corrupts vector registers on PowerPC - debian/patches/CVE-2023-6129.patch: fix vector register clobbering in crypto/poly1305/asm/poly1305-ppc.pl. - CVE-2023-6129 * SECURITY UPDATE: Excessive time spent checking invalid RSA public keys - debian/patches/CVE-2023-6237.patch: limit the execution time of RSA public key check in crypto/rsa/rsa_sp800_56b_check.c, test/recipes/91-test_pkey_check.t, test/recipes/91-test_pkey_check_data/rsapub_17k.pem. - CVE-2023-6237 * SECURITY UPDATE: PKCS12 Decoding crashes - debian/patches/CVE-2024-0727.patch: add NULL checks where ContentInfo data can be NULL in crypto/pkcs12/p12_add.c, crypto/pkcs12/p12_mutl.c, crypto/pkcs12/p12_npas.c, crypto/pkcs7/pk7_mime.c. - CVE-2024-0727 -- Marc Deslauriers <email address hidden> Wed, 31 Jan 2024 13:03:16 -0500
Available diffs
openssl (3.0.2-0ubuntu1.13) jammy; urgency=medium * Fix (upstream): crash when using an engine for ciphers used by DRBG (LP: #2023545) - lp2023545/0001-Release-the-drbg-in-the-global-default-context-befor.patch * Fix (upstream): do not ignore return values for S/MIME signature (LP: #1994165) - lp1994165/0001-REGRESSION-CMS_final-do-not-ignore-CMS_dataFinal-res.patch * Perf (upstream): don't empty method stores and provider synchronization records when flushing the query cache (LP: #2033422) - lp2033422/0001-Drop-ossl_provider_clear_all_operation_bits-and-all-.patch - lp2033422/0002-Refactor-method-construction-pre-and-post-condition.patch - lp2033422/0003-Don-t-empty-the-method-store-when-flushing-the-query.patch - lp2033422/0004-Make-it-possible-to-remove-methods-by-the-provider-t.patch - lp2033422/0005-Complete-the-cleanup-of-an-algorithm-in-OSSL_METHOD_.patch - lp2033422/0006-For-child-libctx-provider-don-t-count-self-reference.patch - lp2033422/0007-Add-method-store-cache-flush-and-method-removal-to-n.patch -- Adrien Nader <email address hidden> Tue, 09 Jan 2024 11:42:50 +0100
Available diffs
openssl (3.0.10-1ubuntu3) noble; urgency=medium * Drop most of d/libssl3.postinst, keeping only the reboot notification on servers. The dropped code was actually unreachable since around Ubuntu 18.04, except for debconf which was loaded but not used. * Remove template for debconf -- Adrien Nader <email address hidden> Mon, 18 Sep 2023 16:06:16 +0200
Available diffs
openssl (3.0.8-1ubuntu1.4) lunar-security; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: AES-SIV implementation ignores empty associated data entries - debian/patches/CVE-2023-2975.patch: do not ignore empty associated data with AES-SIV mode in providers/implementations/ciphers/cipher_aes_siv.c. - CVE-2023-2975 * SECURITY UPDATE: Incorrect cipher key and IV length processing - debian/patches/CVE-2023-5363-1.patch: process key length and iv length early if present in crypto/evp/evp_enc.c. - debian/patches/CVE-2023-5363-2.patch: add unit test in test/evp_extra_test.c. - CVE-2023-5363 [ Ian Constantin ] * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of an excessively large modulus in DH_check(). - CVE-2023-3446 * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of invalid q values in DH_check(). - CVE-2023-3817 -- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 08:02:49 -0400
Available diffs
openssl (3.0.2-0ubuntu1.12) jammy-security; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: AES-SIV implementation ignores empty associated data entries - debian/patches/CVE-2023-2975.patch: do not ignore empty associated data with AES-SIV mode in providers/implementations/ciphers/cipher_aes_siv.c. - CVE-2023-2975 * SECURITY UPDATE: Incorrect cipher key and IV length processing - debian/patches/CVE-2023-5363-1.patch: process key length and iv length early if present in crypto/evp/evp_enc.c. - debian/patches/CVE-2023-5363-2.patch: add unit test in test/evp_extra_test.c. - CVE-2023-5363 [ Ian Constantin ] * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of an excessively large modulus in DH_check(). - CVE-2023-3446 * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of invalid q values in DH_check(). - CVE-2023-3817 -- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 08:02:49 -0400
Available diffs
Superseded in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
Superseded in mantic-updates |
Superseded in mantic-security |
openssl (3.0.10-1ubuntu2.1) mantic-security; urgency=medium * SECURITY UPDATE: Incorrect cipher key and IV length processing - debian/patches/CVE-2023-5363-1.patch: process key length and iv length early if present in crypto/evp/evp_enc.c. - debian/patches/CVE-2023-5363-2.patch: add unit test in test/evp_extra_test.c. - CVE-2023-5363 -- Marc Deslauriers <email address hidden> Fri, 13 Oct 2023 07:51:05 -0400
Available diffs
openssl (1.1.1f-1ubuntu2.20) focal-security; urgency=medium * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3446.patch: adds check to prevent the testing of an excessively large modulus in DH_check(). - CVE-2023-3446 * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3817.patch: adds check to prevent the testing of invalid q values in DH_check(). - CVE-2023-3817 -- Ian Constantin <email address hidden> Tue, 10 Oct 2023 12:03:48 +0300
Available diffs
Superseded in noble-release |
Published in mantic-release |
Deleted in mantic-proposed (Reason: Moved to mantic) |
openssl (3.0.10-1ubuntu2) mantic; urgency=medium * d/p/intel/*: cherry-pick AVX512 patches for recent Intel CPUs (LP: #2030784) -- Simon Chopin <email address hidden> Tue, 08 Aug 2023 17:51:58 +0200
Available diffs
- diff from 3.0.10-1ubuntu1 to 3.0.10-1ubuntu2 (55.9 KiB)
openssl (3.0.10-1ubuntu1) mantic; urgency=low * Merge from Debian unstable. Remaining changes: - Remaining changes: + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to openssl + d/libssl3.postinst: Revert Debian deletion - Skip services restart & reboot notification if needrestart is in-use. - Bump version check to 1.1.1 (bug opened as LP: #1999139) - Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Import libraries/restart-without-asking template as used by above. + Add support for building with noudeb build profile. + Use perl:native in the autopkgtest for installability on i386.
Available diffs
- diff from 3.0.9-1ubuntu1 to 3.0.10-1ubuntu1 (103.4 KiB)
openssl (3.0.9-1ubuntu1) mantic; urgency=low * Merge from Debian unstable. Remaining changes: - Remaining changes: + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to openssl + d/libssl3.postinst: Revert Debian deletion - Skip services restart & reboot notification if needrestart is in-use. - Bump version check to 1.1.1 (bug opened as LP: #1999139) - Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Import libraries/restart-without-asking template as used by above. + Add support for building with noudeb build profile. + Use perl:native in the autopkgtest for installability on i386.
Available diffs
- diff from 3.0.8-1ubuntu3 to 3.0.9-1ubuntu1 (174.7 KiB)
openssl (3.0.8-1ubuntu3) mantic; urgency=medium * SECURITY UPDATE: DoS in AES-XTS cipher decryption - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in crypto/aes/asm/aesv8-armx.pl. - CVE-2023-1255 * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate in crypto/objects/obj_dat.c. - CVE-2023-2650 * Replace CVE-2022-4304 fix with improved version - debian/patches/revert-CVE-2022-4304.patch: remove previous fix. - debian/patches/CVE-2022-4304.patch: use alternative fix in crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c, crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c. -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:04:49 -0400
Available diffs
- diff from 3.0.8-1ubuntu2 to 3.0.8-1ubuntu3 (12.9 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.23) bionic-security; urgency=medium * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate in crypto/objects/obj_dat.c. - CVE-2023-2650 * Replace CVE-2022-4304 fix with improved version - debian/patches/CVE-2022-4304.patch: remove previous fix. - debian/patches/CVE-2022-4304-1.patch: use alternative fix in crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c, crypto/bn/bn_lcl.h, crypto/rsa/rsa_ossl.c. - debian/patches/CVE-2022-4304-2.patch: re-add BN_F_OSSL_BN_RSA_DO_UNBLIND which was incorrectly removed in include/openssl/bnerr.h. -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:14:51 -0400
openssl (3.0.5-2ubuntu2.3) kinetic-security; urgency=medium * SECURITY UPDATE: DoS in AES-XTS cipher decryption - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in crypto/aes/asm/aesv8-armx.pl. - CVE-2023-1255 * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate in crypto/objects/obj_dat.c. - CVE-2023-2650 * Replace CVE-2022-4304 fix with improved version - debian/patches/CVE-2022-4304.patch: use alternative fix in crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c, crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c. -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:11:31 -0400
Available diffs
openssl (3.0.8-1ubuntu1.2) lunar-security; urgency=medium * SECURITY UPDATE: DoS in AES-XTS cipher decryption - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in crypto/aes/asm/aesv8-armx.pl. - CVE-2023-1255 * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate in crypto/objects/obj_dat.c. - CVE-2023-2650 * Replace CVE-2022-4304 fix with improved version - debian/patches/revert-CVE-2022-4304.patch: remove previous fix. - debian/patches/CVE-2022-4304.patch: use alternative fix in crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c, crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c. -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:04:49 -0400
Available diffs
openssl (3.0.2-0ubuntu1.10) jammy-security; urgency=medium * SECURITY UPDATE: DoS in AES-XTS cipher decryption - debian/patches/CVE-2023-1255.patch: avoid buffer overrread in crypto/aes/asm/aesv8-armx.pl. - CVE-2023-1255 * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate in crypto/objects/obj_dat.c. - CVE-2023-2650 * Replace CVE-2022-4304 fix with improved version - debian/patches/CVE-2022-4304.patch: use alternative fix in crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c, crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c. -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:12:55 -0400
Available diffs
openssl (1.1.1f-1ubuntu2.19) focal-security; urgency=medium * SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers - debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate in crypto/objects/obj_dat.c. - CVE-2023-2650 * Replace CVE-2022-4304 fix with improved version - debian/patches/CVE-2022-4304.patch: remove previous fix. - debian/patches/CVE-2022-4304-1.patch: use alternative fix in crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c, crypto/bn/bn_local.h, crypto/rsa/rsa_ossl.c. - debian/patches/CVE-2022-4304-2.patch: re-add BN_F_OSSL_BN_RSA_DO_UNBLIND which was incorrectly removed in include/openssl/bnerr.h. -- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:14:51 -0400
Available diffs
openssl (3.0.8-1ubuntu2) mantic; urgency=medium * Manual reupload from lunar-security to mantic-proposed pocket, due to LP failing to copy it -- Gianfranco Costamagna <email address hidden> Wed, 03 May 2023 10:49:04 +0200
Available diffs
Pending in oracular-proposed since 2024-04-29 18:55:16 UTC |
Pending in noble-proposed since 2023-10-23 22:30:24 UTC |
Superseded in lunar-updates |
Pending in mantic-proposed since 2023-04-25 12:10:09 UTC |
Superseded in lunar-security |
openssl (3.0.8-1ubuntu1.1) lunar-security; urgency=medium * SECURITY UPDATE: excessive resource use when verifying policy constraints - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created in a policy tree (the default limit is set to 1000 nodes). - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy resource overuse. - debian/patches/CVE-2023-0464-3.patch: disable the policy tree exponential growth test conditionally. - CVE-2023-0464 * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs. - debian/patches/CVE-2023-0465-2.patch: generate some certificates with the certificatePolicies extension. - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test. - CVE-2023-0466 * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy not enabled as documented - debian/patches/CVE-2023-0466.patch: fix documentation of X509_VERIFY_PARAM_add0_policy(). - CVE-2023-0466 -- Camila Camargo de Matos <email address hidden> Mon, 24 Apr 2023 07:52:33 -0300
Available diffs
openssl (3.0.5-2ubuntu2.2) kinetic-security; urgency=medium * SECURITY UPDATE: double locking when processing X.509 certificate policy constraints - debian/patches/CVE-2022-3996-1.patch: revert commit 9aa4be69 and remove redundant flag setting. - debian/patches/CVE-2022-3996-2.patch: add test case for reported deadlock. - CVE-2022-3996 * SECURITY UPDATE: excessive resource use when verifying policy constraints - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created in a policy tree (the default limit is set to 1000 nodes). - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy resource overuse. - debian/patches/CVE-2023-0464-3.patch: disable the policy tree exponential growth test conditionally. - CVE-2023-0464 * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs. - debian/patches/CVE-2023-0465-2.patch: generate some certificates with the certificatePolicies extension. - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test. - CVE-2023-0466 * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy not enabled as documented - debian/patches/CVE-2023-0466.patch: fix documentation of X509_VERIFY_PARAM_add0_policy(). - CVE-2023-0466 -- Camila Camargo de Matos <email address hidden> Mon, 17 Apr 2023 15:14:07 -0300
Available diffs
openssl (3.0.2-0ubuntu1.9) jammy-security; urgency=medium * SECURITY UPDATE: double locking when processing X.509 certificate policy constraints - debian/patches/CVE-2022-3996-1.patch: revert commit 9aa4be69 and remove redundant flag setting. - debian/patches/CVE-2022-3996-2.patch: add test case for reported deadlock. - CVE-2022-3996 * SECURITY UPDATE: excessive resource use when verifying policy constraints - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created in a policy tree (the default limit is set to 1000 nodes). - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy resource overuse. - debian/patches/CVE-2023-0464-3.patch: disable the policy tree exponential growth test conditionally. - CVE-2023-0464 * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs. - debian/patches/CVE-2023-0465-2.patch: generate some certificates with the certificatePolicies extension. - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test. - CVE-2023-0466 * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy not enabled as documented - debian/patches/CVE-2023-0466.patch: fix documentation of X509_VERIFY_PARAM_add0_policy(). - CVE-2023-0466 -- Camila Camargo de Matos <email address hidden> Mon, 17 Apr 2023 15:12:58 -0300
Available diffs
openssl (1.1.1f-1ubuntu2.18) focal-security; urgency=medium * SECURITY UPDATE: excessive resource use when verifying policy constraints - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created in a policy tree (the default limit is set to 1000 nodes). - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy resource overuse. - debian/patches/CVE-2023-0464-3.patch: disable the policy tree exponential growth test conditionally. - CVE-2023-0464 * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs. - debian/patches/CVE-2023-0465-2.patch: generate some certificates with the certificatePolicies extension. - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test. - CVE-2023-0466 * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy not enabled as documented - debian/patches/CVE-2023-0466.patch: fix documentation of X509_VERIFY_PARAM_add0_policy(). - CVE-2023-0466 -- Camila Camargo de Matos <email address hidden> Mon, 17 Apr 2023 15:11:39 -0300
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.22) bionic-security; urgency=medium * SECURITY UPDATE: excessive resource use when verifying policy constraints - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created in a policy tree (the default limit is set to 1000 nodes). - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy resource overuse. - debian/patches/CVE-2023-0464-3.patch: disable the policy tree exponential growth test conditionally. - CVE-2023-0464 * SECURITY UPDATE: invalid certificate policies ignored in leaf certificates - debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs. - debian/patches/CVE-2023-0465-2.patch: generate some certificates with the certificatePolicies extension. - debian/patches/CVE-2023-0465-3.patch: add a certificate policies test. - CVE-2023-0466 * SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy not enabled as documented - debian/patches/CVE-2023-0466.patch: fix documentation of X509_VERIFY_PARAM_add0_policy(). - CVE-2023-0466 -- Camila Camargo de Matos <email address hidden> Mon, 17 Apr 2023 15:17:25 -0300
Superseded in mantic-release |
Published in lunar-release |
Deleted in lunar-proposed (Reason: Moved to lunar) |
openssl (3.0.8-1ubuntu1) lunar; urgency=medium * Merge 3.0.8 from Debian testing (LP: #2006954) - Remaining changes: + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to openssl + d/libssl3.postinst: Revert Debian deletion - Skip services restart & reboot notification if needrestart is in-use. - Bump version check to 1.1.1 (bug opened as LP: #1999139) - Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Import libraries/restart-without-asking template as used by above. + Add support for building with noudeb build profile. + Use perl:native in the autopkgtest for installability on i386. -- Adrien Nader <email address hidden> Mon, 20 Feb 2023 16:10:19 +0100
Available diffs
- diff from 3.0.7-1ubuntu1 to 3.0.8-1ubuntu1 (150.6 KiB)
openssl (1.1.1f-1ubuntu2.17) focal-security; urgency=medium * SECURITY UPDATE: Timing Oracle in RSA Decryption - debian/patches/CVE-2022-4304.patch: fix timing oracle in crypto/bn/bn_blind.c, crypto/bn/bn_err.c, crypto/bn/bn_local.h, crypto/bn/build.info, crypto/bn/rsa_sup_mul.c, crypto/err/openssl.txt, crypto/rsa/rsa_ossl.c, include/crypto/bn.h, include/openssl/bnerr.h. - CVE-2022-4304 * SECURITY UPDATE: Double free after calling PEM_read_bio_ex - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c. - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c. - CVE-2022-4450 * SECURITY UPDATE: Use-after-free following BIO_new_NDEF - debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug in BIO_new_NDEF in crypto/asn1/bio_ndef.c. - debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO setup with -stream is handled correctly in test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem. - CVE-2023-0215 * SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName - debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h, test/v3nametest.c. - CVE-2023-0286 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2023 12:57:17 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.21) bionic-security; urgency=medium * SECURITY UPDATE: Timing Oracle in RSA Decryption - debian/patches/CVE-2022-4304.patch: fix timing oracle in crypto/bn/bn_blind.c, crypto/bn/bn_err.c, crypto/bn/bn_lcl.h, crypto/bn/rsa_sup_mul.c, crypto/err/openssl.txt, crypto/rsa/rsa_ossl.c, include/openssl/bnerr.h, crypto/include/internal/bn_int.h, crypto/bn/build.info. - CVE-2022-4304 * SECURITY UPDATE: Double free after calling PEM_read_bio_ex - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c. - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c. - CVE-2022-4450 * SECURITY UPDATE: Use-after-free following BIO_new_NDEF - debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug in BIO_new_NDEF in crypto/asn1/bio_ndef.c. - debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO setup with -stream is handled correctly in test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem. - CVE-2023-0215 * SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName - debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h, test/v3nametest.c. - CVE-2023-0286 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2023 12:57:17 -0500
Available diffs
openssl (3.0.5-2ubuntu2.1) kinetic-security; urgency=medium * SECURITY UPDATE: X.509 Name Constraints Read Buffer Overflow - debian/patches/CVE-2022-4203-1.patch: fix type confusion in nc_match_single() in crypto/x509/v3_ncons.c. - debian/patches/CVE-2022-4203-2.patch: add testcase for nc_match_single type confusion in test/*. - CVE-2022-4203 * SECURITY UPDATE: Timing Oracle in RSA Decryption - debian/patches/CVE-2022-4304.patch: fix timing oracle in crypto/bn/bn_blind.c, crypto/bn/bn_local.h, crypto/bn/build.info, crypto/bn/rsa_sup_mul.c, crypto/rsa/rsa_ossl.c, include/crypto/bn.h. - CVE-2022-4304 * SECURITY UPDATE: Double free after calling PEM_read_bio_ex - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c. - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c. - CVE-2022-4450 * SECURITY UPDATE: Use-after-free following BIO_new_NDEF - debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug in BIO_new_NDEF in crypto/asn1/bio_ndef.c. - debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO setup with -stream is handled correctly in test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem. - CVE-2023-0215 * SECURITY UPDATE: Invalid pointer dereference in d2i_PKCS7 functions - debian/patches/CVE-2023-0216-1.patch: do not dereference PKCS7 object data if not set in crypto/pkcs7/pk7_lib.c. - debian/patches/CVE-2023-0216-2.patch: add test for d2i_PKCS7 NULL dereference in test/recipes/25-test_pkcs7.t, test/recipes/25-test_pkcs7_data/malformed.pkcs7. - CVE-2023-0216 * SECURITY UPDATE: NULL dereference validating DSA public key - debian/patches/CVE-2023-0217-1.patch: fix NULL deference when validating FFC public key in crypto/ffc/ffc_key_validate.c, include/internal/ffc.h, test/ffc_internal_test.c. - debian/patches/CVE-2023-0217-2.patch: prevent creating DSA and DH keys without parameters through import in providers/implementations/keymgmt/dh_kmgmt.c, providers/implementations/keymgmt/dsa_kmgmt.c. - debian/patches/CVE-2023-0217-3.patch: do not create DSA keys without parameters by decoder in crypto/x509/x_pubkey.c, include/crypto/x509.h, providers/implementations/encode_decode/decode_der2key.c. - CVE-2023-0217 * SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName - debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h.in, test/v3nametest.c. - CVE-2023-0286 * SECURITY UPDATE: NULL dereference during PKCS7 data verification - debian/patches/CVE-2023-0401-1.patch: check return of BIO_set_md() calls in crypto/pkcs7/pk7_doit.c. - debian/patches/CVE-2023-0401-2.patch: add testcase for missing return check of BIO_set_md() calls in test/recipes/80-test_cms.t, test/recipes/80-test_cms_data/pkcs7-md4.pem. - CVE-2023-0401 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2023 12:57:17 -0500
Available diffs
- diff from 3.0.5-2ubuntu2 to 3.0.5-2ubuntu2.1 (23.9 KiB)
openssl (3.0.2-0ubuntu1.8) jammy-security; urgency=medium * SECURITY UPDATE: X.509 Name Constraints Read Buffer Overflow - debian/patches/CVE-2022-4203-1.patch: fix type confusion in nc_match_single() in crypto/x509/v3_ncons.c. - debian/patches/CVE-2022-4203-2.patch: add testcase for nc_match_single type confusion in test/*. - CVE-2022-4203 * SECURITY UPDATE: Timing Oracle in RSA Decryption - debian/patches/CVE-2022-4304.patch: fix timing oracle in crypto/bn/bn_blind.c, crypto/bn/bn_local.h, crypto/bn/build.info, crypto/bn/rsa_sup_mul.c, crypto/rsa/rsa_ossl.c, include/crypto/bn.h. - CVE-2022-4304 * SECURITY UPDATE: Double free after calling PEM_read_bio_ex - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c. - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c. - CVE-2022-4450 * SECURITY UPDATE: Use-after-free following BIO_new_NDEF - debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug in BIO_new_NDEF in crypto/asn1/bio_ndef.c. - debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO setup with -stream is handled correctly in test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem. - CVE-2023-0215 * SECURITY UPDATE: Invalid pointer dereference in d2i_PKCS7 functions - debian/patches/CVE-2023-0216-1.patch: do not dereference PKCS7 object data if not set in crypto/pkcs7/pk7_lib.c. - debian/patches/CVE-2023-0216-2.patch: add test for d2i_PKCS7 NULL dereference in test/recipes/25-test_pkcs7.t, test/recipes/25-test_pkcs7_data/malformed.pkcs7. - CVE-2023-0216 * SECURITY UPDATE: NULL dereference validating DSA public key - debian/patches/CVE-2023-0217-1.patch: fix NULL deference when validating FFC public key in crypto/ffc/ffc_key_validate.c, include/internal/ffc.h, test/ffc_internal_test.c. - debian/patches/CVE-2023-0217-2.patch: prevent creating DSA and DH keys without parameters through import in providers/implementations/keymgmt/dh_kmgmt.c, providers/implementations/keymgmt/dsa_kmgmt.c. - debian/patches/CVE-2023-0217-3.patch: do not create DSA keys without parameters by decoder in crypto/x509/x_pubkey.c, include/crypto/x509.h, providers/implementations/encode_decode/decode_der2key.c. - CVE-2023-0217 * SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName - debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h.in, test/v3nametest.c. - CVE-2023-0286 * SECURITY UPDATE: NULL dereference during PKCS7 data verification - debian/patches/CVE-2023-0401-1.patch: check return of BIO_set_md() calls in crypto/pkcs7/pk7_doit.c. - debian/patches/CVE-2023-0401-2.patch: add testcase for missing return check of BIO_set_md() calls in test/recipes/80-test_cms.t, test/recipes/80-test_cms_data/pkcs7-md4.pem. - CVE-2023-0401 -- Marc Deslauriers <email address hidden> Mon, 06 Feb 2023 12:57:17 -0500
Available diffs
openssl (3.0.7-1ubuntu1) lunar; urgency=medium * Merge 3.0.7 from Debian unstable (LP: #1998942) - Drop patches merged upstream: + CVE-2022-3358.patch + CVE-2022-3602-1.patch + CVE-2022-3602-2.patch - Shrink patch since upstream fixed some tests in the patch above: + tests-use-seclevel-1.patch - Drop patch since -DOPENSSL_TLS_SECURITY_LEVEL=2 is now hard-coded: + Set-systemwide-default-settings-for-libssl-users.patch - Drop Debian patch not needed anymore: + TEST-Provide-a-default-openssl.cnf-for-tests.patch - Mention Debian as defaulting to SECLEVEL=2 in addition to Ubuntu: + tls1.2-min-seclevel2.patch - Remaining changes: + Symlink changelog{,.Debian}.gz and copyright.gz from libssl-dev to openssl + d/libssl3.postinst: Revert Debian deletion - Skip services restart & reboot notification if needrestart is in-use. - Bump version check to 1.1.1 (bug opened as LP: #1999139) - Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Import libraries/restart-without-asking template as used by above. + Add support for building with noudeb build profile. + Use perl:native in the autopkgtest for installability on i386. * Correct comment as to which TLS version is disabled with our seclevel: - skip_tls1.1_seclevel3_tests.patch [Sebastian Andrzej Siewior] * CVE-2022-3996 (X.509 Policy Constraints Double Locking).
Available diffs
Superseded in lunar-release |
Deleted in lunar-proposed (Reason: Moved to lunar) |
Superseded in kinetic-updates |
Superseded in kinetic-security |
openssl (3.0.5-2ubuntu2) kinetic-security; urgency=medium * SECURITY UPDATE: X.509 Email Address Buffer Overflow - debian/patches/CVE-2022-3602-1.patch: fix off by one in punycode decoder in crypto/punycode.c, test/build.info, test/punycode_test.c, test/recipes/04-test_punycode.t. - debian/patches/CVE-2022-3602-2.patch: ensure the result is zero terminated in crypto/punycode.c. - CVE-2022-3602 * SECURITY UPDATE: legacy custom cipher issue - debian/patches/CVE-2022-3358.patch: fix usage of custom EVP_CIPHER objects in crypto/evp/digest.c, crypto/evp/evp_enc.c. - CVE-2022-3358 -- Marc Deslauriers <email address hidden> Thu, 27 Oct 2022 13:05:01 -0400
Available diffs
openssl (3.0.2-0ubuntu1.7) jammy-security; urgency=medium * SECURITY UPDATE: X.509 Email Address Buffer Overflow - debian/patches/CVE-2022-3602-1.patch: fix off by one in punycode decoder in crypto/punycode.c, test/build.info, test/punycode_test.c, test/recipes/04-test_punycode.t. - debian/patches/CVE-2022-3602-2.patch: ensure the result is zero terminated in crypto/punycode.c. - CVE-2022-3602 * SECURITY UPDATE: legacy custom cipher issue - debian/patches/CVE-2022-3358.patch: fix usage of custom EVP_CIPHER objects in crypto/evp/digest.c, crypto/evp/evp_enc.c. - CVE-2022-3358 -- Marc Deslauriers <email address hidden> Thu, 27 Oct 2022 13:06:56 -0400
Available diffs
Superseded in lunar-release |
Obsolete in kinetic-release |
Deleted in kinetic-proposed (Reason: Moved to kinetic) |
openssl (3.0.5-2ubuntu1) kinetic; urgency=low * Merge from Debian unstable (LP: #1987047). Remaining changes: - Replace duplicate files in the doc directory with symlinks. - d/libssl3.postinst: Revert Debian deletion + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Import libraries/restart-without-asking template as used by above. - Add support for building with noudeb build profile. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Use perl:native in the autopkgtest for installability on i386. - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the testsuite - d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on Ubuntu to make it easier for user to change security level * Dropped changes, merged upstream: - d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4 regression on AVX-512 capable CPUs. * Revert the provider removal from the default configuration, following discussions on LP: #1979639
Available diffs
- diff from 3.0.4-1ubuntu1 to 3.0.5-2ubuntu1 (167.1 KiB)
openssl (3.0.2-0ubuntu1.6) jammy-security; urgency=medium * SECURITY UPDATE: AES OCB fails to encrypt some bytes - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for x86 AES-NI in crypto/aes/asm/aesni-x86.pl. - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in test/recipes/30-test_evp_data/evpciph_aes_ocb.txt. - CVE-2022-2097 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:20:23 -0400
Available diffs
openssl (1.1.1l-1ubuntu1.6) impish-security; urgency=medium * SECURITY UPDATE: AES OCB fails to encrypt some bytes - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for x86 AES-NI in crypto/aes/asm/aesni-x86.pl. - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in test/recipes/30-test_evp_data/evpciph.txt. - CVE-2022-2097 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:22:56 -0400
Available diffs
openssl (1.1.1f-1ubuntu2.16) focal-security; urgency=medium * SECURITY UPDATE: AES OCB fails to encrypt some bytes - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for x86 AES-NI in crypto/aes/asm/aesni-x86.pl. - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in test/recipes/30-test_evp_data/evpciph.txt. - CVE-2022-2097 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:24:28 -0400
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.20) bionic-security; urgency=medium * SECURITY UPDATE: AES OCB fails to encrypt some bytes - debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for x86 AES-NI in crypto/aes/asm/aesni-x86.pl. - debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in test/recipes/30-test_evp_data/evpciph.txt. - CVE-2022-2097 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:25:51 -0400
Available diffs
openssl (3.0.4-1ubuntu1) kinetic; urgency=medium * Merge from Debian unstable (LP: #1979639). Remaining changes: - Replace duplicate files in the doc directory with symlinks. - d/libssl3.postinst: Revert Debian deletion + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Import libraries/restart-without-asking template as used by above. - Add support for building with noudeb build profile. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Use perl:native in the autopkgtest for installability on i386. - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the testsuite - d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on Ubuntu to make it easier for user to change security level * Dropped changes, merged upstream: - Add some more string comparison fixes - d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to trigger the underlying bug - d/p/lp1978093/*: renew some expiring test certificates * d/p/fix-avx512-overflow.patch: Cherry-picked from upstream to fix a 3.0.4 regression on AVX-512 capable CPUs.
Available diffs
- diff from 3.0.3-5ubuntu3 to 3.0.4-1ubuntu1 (150.6 KiB)
openssl (1.1.1f-1ubuntu2.15) focal-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and apply it before c_rehash-compat.patch. - debian/patches/CVE-2022-2068.patch: fix file operations in tools/c_rehash.in. - debian/patches/c_rehash-compat.patch: updated patch to apply after the security updates. - CVE-2022-2068 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 14:16:37 -0400
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.19) bionic-security; urgency=medium [ Simon Chopin ] * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093) [ Marc Deslauriers ] * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and apply it before c_rehash-compat.patch. - debian/patches/CVE-2022-2068.patch: fix file operations in tools/c_rehash.in. - debian/patches/c_rehash-compat.patch: updated patch to apply after the security updates. - CVE-2022-2068 -- Simon Chopin <email address hidden> Tue, 14 Jun 2022 13:37:45 +0200
openssl (3.0.2-0ubuntu1.5) jammy-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and apply it before c_rehash-compat.patch. - debian/patches/CVE-2022-2068-1.patch: fix file operations in tools/c_rehash.in. - debian/patches/CVE-2022-2068-2.patch: drop the issuer_name_hash= prefix from the CRL hash in tools/c_rehash.in. - debian/patches/c_rehash-compat.patch: updated patch to apply after the security updates. - CVE-2022-2068 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 10:26:20 -0400
openssl (1.1.1l-1ubuntu1.5) impish-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and apply it before c_rehash-compat.patch. - debian/patches/CVE-2022-2068.patch: fix file operations in tools/c_rehash.in. - debian/patches/c_rehash-compat.patch: updated patch to apply after the security updates. - CVE-2022-2068 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 10:38:42 -0400
Available diffs
Deleted in impish-proposed (Reason: moved to -updates) |
openssl (1.1.1l-1ubuntu1.4) impish; urgency=medium * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093) * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to trigger the underlying bug (LP: #1947588) -- Simon Chopin <email address hidden> Fri, 10 Jun 2022 10:11:25 +0200
Available diffs
Deleted in focal-proposed (Reason: moved to -updates) |
openssl (1.1.1f-1ubuntu2.14) focal; urgency=medium * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093) * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to trigger the underlying bug (LP: #1947588) -- Simon Chopin <email address hidden> Fri, 10 Jun 2022 10:11:25 +0200
Available diffs
openssl (3.0.2-0ubuntu1.4) jammy; urgency=medium * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)
Available diffs
- diff from 3.0.2-0ubuntu1.2 to 3.0.2-0ubuntu1.4 (41.9 KiB)
- diff from 3.0.2-0ubuntu1.3 to 3.0.2-0ubuntu1.4 (30.3 KiB)
openssl (3.0.3-5ubuntu3) kinetic; urgency=medium * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093) -- Simon Chopin <email address hidden> Thu, 09 Jun 2022 13:20:55 +0200
Available diffs
- diff from 3.0.3-5ubuntu2 to 3.0.3-5ubuntu3 (30.4 KiB)
Superseded in jammy-proposed |
openssl (3.0.2-0ubuntu1.3) jammy; urgency=medium * d/p/lp1974037/*: cherry-pick another patchset to fix regressions with the previous lp1974037 one (LP: #1974037) * d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on Ubuntu to make it easier for user to change security level (LP: #1972056) * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to trigger the underlying bug (LP: #1947588) -- Simon Chopin <email address hidden> Tue, 24 May 2022 10:55:08 +0200
Available diffs
openssl (3.0.3-5ubuntu2) kinetic; urgency=medium * d/p/Set-systemwide-default-settings-for-libssl-users: don't comment out the CipherString string to avoid an empty section. -- Simon Chopin <email address hidden> Tue, 31 May 2022 13:02:15 +0200
Available diffs
- diff from 3.0.3-0ubuntu1 to 3.0.3-5ubuntu2 (27.1 KiB)
- diff from 3.0.3-5ubuntu1 to 3.0.3-5ubuntu2 (501 bytes)
Superseded in kinetic-proposed |
openssl (3.0.3-5ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1974035): Remaining change: - Replace duplicate files in the doc directory with symlinks. - d/libssl3.postinst: Revert Debian deletion + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Import libraries/restart-without-asking template as used by above. - Add support for building with noudeb build profile. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Use perl:native in the autopkgtest for installability on i386. - d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the testsuite * Add some more string comparison fixes (LP: #1974037) * d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on Ubuntu to make it easier for user to change security level (LP: #1972056) * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to trigger the underlying bug (LP: #1947588) -- Simon Chopin <email address hidden> Tue, 31 May 2022 09:49:54 +0200
Available diffs
- diff from 3.0.3-0ubuntu1 to 3.0.3-5ubuntu1 (27.0 KiB)
Deleted in bionic-proposed (Reason: moved to -updates) |
openssl (1.1.1-1ubuntu2.1~18.04.18) bionic; urgency=medium * Backport pr9780: - d/p/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch - d/p/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch (LP: #1940141) -- Bruce Elrick <email address hidden> Mon, 09 May 2022 19:38:43 +0000
Available diffs
openssl (3.0.2-0ubuntu1.2) jammy; urgency=medium * d/p/lp1968997/*: cherry-pick a patchset to fix issues with the Turkish locale (LP: #1968997) -- Simon Chopin <email address hidden> Thu, 05 May 2022 10:04:52 +0200
Available diffs
openssl (3.0.3-0ubuntu1) kinetic; urgency=medium * New upstream release (LP: #1968997): - d/p/CVE-2022-*: dropped, present upstream - d/p/c_rehash-compat.patch: refreshed -- Simon Chopin <email address hidden> Thu, 05 May 2022 10:56:04 +0200
Available diffs
- diff from 3.0.2-0ubuntu1 to 3.0.3-0ubuntu1 (86.0 KiB)
- diff from 3.0.2-0ubuntu2 to 3.0.3-0ubuntu1 (90.9 KiB)
Superseded in kinetic-proposed |
openssl (3.0.2-0ubuntu2) kinetic; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 * SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response signing certificate - debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer certificate validation in crypto/ocsp/ocsp_vfy.c. - debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid responses in test/recipes/80-test_ocsp.t. - CVE-2022-1343 * SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite - debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in providers/implementations/ciphers/cipher_rc4_hmac_md5.c, test/recipes/30-test_evp_data/evpciph_aes_stitched.txt, test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt. - CVE-2022-1434 * SECURITY UPDATE: resource leakage when decoding certificates and keys - debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in crypto/lhash/lhash.c. - CVE-2022-1473 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 12:01:34 -0400
Available diffs
openssl (3.0.2-0ubuntu1.1) jammy-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 * SECURITY UPDATE: OCSP_basic_verify may incorrectly verify the response signing certificate - debian/patches/CVE-2022-1343-1.patch: fix OCSP_basic_verify signer certificate validation in crypto/ocsp/ocsp_vfy.c. - debian/patches/CVE-2022-1343-2.patch: test ocsp with invalid responses in test/recipes/80-test_ocsp.t. - CVE-2022-1343 * SECURITY UPDATE: incorrect MAC key used in the RC4-MD5 ciphersuite - debian/patches/CVE-2022-1434.patch: fix the RC4-MD5 cipher in providers/implementations/ciphers/cipher_rc4_hmac_md5.c, test/recipes/30-test_evp_data/evpciph_aes_stitched.txt, test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt. - CVE-2022-1434 * SECURITY UPDATE: resource leakage when decoding certificates and keys - debian/patches/CVE-2022-1473.patch: fix bug in OPENSSL_LH_flush in crypto/lhash/lhash.c. - CVE-2022-1473 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 12:01:34 -0400
Available diffs
openssl (1.1.1f-1ubuntu2.13) focal-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:49:36 -0400
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.17) bionic-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 * NOTE: This package does _not_ contain the changes from 1.1.1-1ubuntu2.1~18.04.16 in bionic-proposed. -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:51:42 -0400
openssl (1.1.1l-1ubuntu1.3) impish-security; urgency=medium * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 -- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:48:03 -0400
Available diffs
Superseded in bionic-proposed |
openssl (1.1.1-1ubuntu2.1~18.04.16) bionic; urgency=medium * Backport pr9780: - d/p/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch - d/p/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch (LP: #1940141) -- Bruce Elrick <email address hidden> Wed, 16 Mar 2022 17:05:32 +0000
Available diffs
Superseded in kinetic-release |
Published in jammy-release |
Deleted in jammy-proposed (Reason: Moved to jammy) |
openssl (3.0.2-0ubuntu1) jammy; urgency=medium * New upstream bugfix release (LP: #1965141) * d/p/skip_tls1.1_seclevel3_tests.patch: new Ubuntu-specific patch for the testsuite -- Simon Chopin <email address hidden> Wed, 16 Mar 2022 09:35:51 +0100
Available diffs
- diff from 3.0.1-0ubuntu1 to 3.0.2-0ubuntu1 (119.8 KiB)
openssl (1.1.1l-1ubuntu1.2) impish-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 -- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:06:18 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.15) bionic-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 -- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:13:40 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.12) focal-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 -- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:12:45 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.11) focal; urgency=medium * Fixup pointer authentication for armv8 systems that support it when using the poly1305 MAC, preventing segmentation faults. (LP: #1960863) - d/p/lp-1960863-crypto-poly1305-asm-fix-armv8-pointer-authenticat.patch -- Matthew Ruffell <email address hidden> Tue, 15 Feb 2022 10:10:01 +1300
Available diffs
openssl (3.0.1-0ubuntu1) jammy; urgency=medium * New upstream release (LP: #1955026). + Dropped patches, merged upstream: - d/p/double-engine-load* - d/p/Add-null-digest-implementation-to-the-default-provid.patch - d/p/Don-t-create-an-ECX-key-with-short-keys.patch + Refreshed patches: - d/p/c_rehash-compat.patch -- Simon Chopin <email address hidden> Thu, 16 Dec 2021 09:10:48 +0100
Available diffs
- diff from 3.0.0-1ubuntu1 to 3.0.1-0ubuntu1 (178.5 KiB)
- diff from 3.0.0-1ubuntu2 to 3.0.1-0ubuntu1 (180.8 KiB)
Superseded in jammy-proposed |
openssl (3.0.0-1ubuntu2) jammy; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Tue, 07 Dec 2021 17:15:51 +0100
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.14) bionic; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:50:16 +0100
openssl (1.1.1f-1ubuntu2.10) focal; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:20:48 +0100
Available diffs
1 → 75 of 479 results | First • Previous • Next • Last |