Change log for openssl package in Ubuntu
| 76 → 150 of 481 results | First • Previous • Next • Last |
openssl (1.1.1-1ubuntu2.1~18.04.14) bionic; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:50:16 +0100
openssl (1.1.1f-1ubuntu2.10) focal; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:20:48 +0100
Available diffs
openssl (1.1.1j-1ubuntu3.6) hirsute; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 11:32:57 +0100
Available diffs
openssl (1.1.1l-1ubuntu1.1) impish; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 10:53:29 +0100
Available diffs
openssl (3.0.0-1ubuntu1) jammy; urgency=medium
* Manual merge of version 3.0.0-1 from Debian experimental, remaining
changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Add support for building with noudeb build profile.
* d/p/Don-t-create-an-ECX-key-with-short-keys.patch:
Backported from upstream to fix a regression with short keys (LP: #1946213)
* d/p/Add-null-digest-implementation-to-the-default-provid.patch:
Backported from upstream to fix a compatibility issue with 1.1.1l
* Manually call dh_installdirs to fix build failure
* Drop some Ubuntu patches merged upstream
+ The s390x series (00xx) has been applied upstream
+ The lp-1927161 Intel CET series has been applied upstream
+ CVE-2021-3449 has been fixed upstream
+ CVE-2021-3450 doesn't apply to 3.0 branch
* Refresh and adapt the remaining patches
Available diffs
- diff from 1.1.1l-1ubuntu1 to 3.0.0-1ubuntu1 (12.7 MiB)
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
openssl (1.1.1l-1ubuntu1) impish; urgency=low
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
- Add support for building with noudeb build profile.
* Dropped changes:
- Cherry-pick an upstream patch to fix s390x AES code
Available diffs
- diff from 1.1.1k-1ubuntu1 to 1.1.1l-1ubuntu1 (47.9 KiB)
openssl (1.1.1f-1ubuntu2.9) focal; urgency=medium
* Cherry-pick stable patches to fix potential use-after-free. LP:
#1940656
-- Dimitri John Ledkov <email address hidden> Wed, 25 Aug 2021 02:13:44 +0100
Available diffs
openssl (1.1.1j-1ubuntu3.5) hirsute-security; urgency=medium
* SECURITY UPDATE: SM2 Decryption Buffer Overflow
- debian/patches/CVE-2021-3711-1.patch: correctly calculate the length
of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c,
crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h,
test/sm2_internal_test.c.
- debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption
in test/recipes/30-test_evp_data/evppkey.txt.
- debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is
large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c.
- CVE-2021-3711
* SECURITY UPDATE: Read buffer overrun in X509_aux_print()
- debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in
X509_aux_print() in crypto/x509/t_x509.c.
- debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_alt.c,
crypto/x509v3/v3_utl.c, include/crypto/x509.h.
- debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not
assume NUL terminated strings in crypto/x509v3/v3_cpols.c.
- debian/patches/CVE-2021-3712-4.patch: fix printing of
PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in
crypto/x509v3/v3_pci.c.
- debian/patches/CVE-2021-3712-5.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL
terminated strings in test/x509_time_test.c.
- debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print
function to not assume NUL terminated strings in
crypto/asn1/t_spki.c.
- debian/patches/CVE-2021-3712-9.patch: fix
EC_GROUP_new_from_ecparameters to check the base length in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-11.patch: fix the error handling in
i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c.
- debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-13.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- CVE-2021-3712
-- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.13) bionic-security; urgency=medium
* SECURITY UPDATE: SM2 Decryption Buffer Overflow
- debian/patches/CVE-2021-3711-1.patch: correctly calculate the length
of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c,
crypto/sm2/sm2_pmeth.c, crypto/include/internal/sm2.h,
test/sm2_internal_test.c.
- debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption
in test/recipes/30-test_evp_data/evppkey.txt.
- debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is
large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c.
- CVE-2021-3711
* SECURITY UPDATE: Read buffer overrun in X509_aux_print()
- debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in
X509_aux_print() in crypto/x509/t_x509.c.
- debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_alt.c,
crypto/x509v3/v3_utl.c, crypto/include/internal/x509_int.h.
- debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not
assume NUL terminated strings in crypto/x509v3/v3_cpols.c.
- debian/patches/CVE-2021-3712-4.patch: fix printing of
PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in
crypto/x509v3/v3_pci.c.
- debian/patches/CVE-2021-3712-5.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL
terminated strings in test/x509_time_test.c.
- debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print
function to not assume NUL terminated strings in
crypto/asn1/t_spki.c.
- debian/patches/CVE-2021-3712-9.patch: fix
EC_GROUP_new_from_ecparameters to check the base length in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-11.patch: fix the error handling in
i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c.
- debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-13.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- CVE-2021-3712
-- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
openssl (1.1.1f-1ubuntu2.8) focal-security; urgency=medium
* SECURITY UPDATE: SM2 Decryption Buffer Overflow
- debian/patches/CVE-2021-3711-1.patch: correctly calculate the length
of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c,
crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h,
test/sm2_internal_test.c.
- debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption
in test/recipes/30-test_evp_data/evppkey.txt.
- debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is
large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c.
- CVE-2021-3711
* SECURITY UPDATE: Read buffer overrun in X509_aux_print()
- debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in
X509_aux_print() in crypto/x509/t_x509.c.
- debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_alt.c,
crypto/x509v3/v3_utl.c, include/crypto/x509.h.
- debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not
assume NUL terminated strings in crypto/x509v3/v3_cpols.c.
- debian/patches/CVE-2021-3712-4.patch: fix printing of
PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in
crypto/x509v3/v3_pci.c.
- debian/patches/CVE-2021-3712-5.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL
terminated strings in test/x509_time_test.c.
- debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print
function to not assume NUL terminated strings in
crypto/asn1/t_spki.c.
- debian/patches/CVE-2021-3712-9.patch: fix
EC_GROUP_new_from_ecparameters to check the base length in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-11.patch: fix the error handling in
i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c.
- debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-13.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- CVE-2021-3712
-- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
Available diffs
openssl (1.1.1k-1ubuntu1) impish; urgency=low * Merge from Debian unstable (LP: #1939544). Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. - Add support for building with noudeb build profile. * Dropped changes, superseded upstream: - SECURITY UPDATE: NULL pointer deref in signature_algorithms processing -> CVE-2021-3449 - SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT -> CVE-2021-3450
Available diffs
- diff from 1.1.1j-1ubuntu5 to 1.1.1k-1ubuntu1 (14.6 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.10) bionic; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
openssl (1.1.1f-1ubuntu2.5) focal; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
Available diffs
openssl (1.1.1j-1ubuntu3.2) hirsute; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
Available diffs
openssl (1.1.1j-1ubuntu5) impish; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
Available diffs
| Published in xenial-security |
| Published in xenial-updates |
| Deleted in xenial-proposed (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium
* Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt
connection with the default chain remains trusted even after the
expiry of the redundant CA certificate. LP: #1928989
-- Dimitri John Ledkov <email address hidden> Mon, 28 Jun 2021 14:05:36 +0100
Available diffs
openssl (1.1.1f-1ubuntu2.4) focal; urgency=medium
* Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
to validate, as it is common on self-signed leaf certificates.
(LP: #1926254)
- d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch
- d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch
- d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch
-- Matthew Ruffell <email address hidden> Wed, 28 Apr 2021 12:37:28 +1200
Available diffs
openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium
* Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
to validate, as it is common on self-signed leaf certificates.
(LP: #1926254)
- d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch
- d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch
- d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:13:30 +1200
Available diffs
| Superseded in hirsute-proposed |
openssl (1.1.1j-1ubuntu3.1) hirsute; urgency=medium
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:00:54 +1200
Available diffs
openssl (1.1.1j-1ubuntu4) impish; urgency=medium
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Matthew Ruffell <email address hidden> Wed, 05 May 2021 11:49:27 +1200
Available diffs
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: Moved to hirsute) |
openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
* SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT
- debian/patches/CVE-2021-3450-1.patch: do not override error return
value by check_curve in crypto/x509/x509_vfy.c,
test/verify_extra_test.c.
- debian/patches/CVE-2021-3450-2.patch: fix return code check in
crypto/x509/x509_vfy.c.
- CVE-2021-3450
-- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 11:44:30 -0400
Available diffs
| Superseded in hirsute-proposed |
openssl (1.1.1j-1ubuntu2) hirsute; urgency=medium * No-change upload to pick up lto. -- Matthias Klose <email address hidden> Tue, 23 Mar 2021 15:24:20 +0100
Available diffs
- diff from 1.1.1j-1ubuntu1 to 1.1.1j-1ubuntu2 (320 bytes)
openssl (1.1.1-1ubuntu2.1~18.04.9) bionic-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:42:42 -0400
openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:37:17 -0400
Available diffs
openssl (1.1.1f-1ubuntu4.3) groovy-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:33:17 -0400
Available diffs
openssl (1.1.1j-1ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
* Add support for building with noudeb build profile.
Available diffs
- diff from 1.1.1f-1ubuntu5 to 1.1.1j-1ubuntu1 (182.8 KiB)
- diff from 1.1.1i-3ubuntu2 to 1.1.1j-1ubuntu1 (37.3 KiB)
openssl (1.0.1-4ubuntu5.45) precise-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/DirectoryString-is-a-CHOICE-type-and-therefore-uses-expli.patch:
use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch:
correctly compare EdiPartyName in crypto/x509v3/v3_genn.c.
- debian/patches/Check-that-multi-strings-CHOICE-types-don-t-use-implicit-.patch:
check that multi-strings/CHOICE types don't use implicit tagging in
crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h.
- debian/patches/Complain-if-we-are-attempting-to-encode-with-an-invalid-A.patch:
complain if we are attempting to encode with an invalid ASN.1 template in
crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h.
- CVE-2020-1971
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Avital Ostromich <email address hidden> Fri, 19 Feb 2021 17:38:20 -0500
Available diffs
| Superseded in hirsute-proposed |
openssl (1.1.1i-3ubuntu2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. -- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:35:47 +0100
Available diffs
- diff from 1.1.1i-3ubuntu1 to 1.1.1i-3ubuntu2 (331 bytes)
openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in
crypto/evp/evp_err.c, crypto/evp/evp.h.
- debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in
crypto/evp/evp_err.c, crypto/evp/evp.h.
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/evp/evp_enc.c,
crypto/evp/evp_err.c, crypto/evp/evp.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 08:14:40 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.8) bionic-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840-pre1.patch: add a new EVP error code in
crypto/err/openssl.txt, crypto/evp/evp_err.c,
include/openssl/evperr.h.
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/err/openssl.txt,
crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
openssl (1.1.1f-1ubuntu4.2) groovy-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/err/openssl.txt,
crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:32:55 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.2) focal-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/err/openssl.txt,
crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
Available diffs
| Superseded in hirsute-proposed |
openssl (1.1.1i-3ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers, unless needrestart is available.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Skip services restart & reboot notification if needrestart is in-use.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
- Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
* Drop many patches included upstream.
Available diffs
- diff from 1.1.1f-1ubuntu5 to 1.1.1i-3ubuntu1 (171.0 KiB)
openssl (1.1.1f-1ubuntu5) hirsute; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Tue, 08 Dec 2020 12:33:52 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.7) bionic-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:54:45 -0500
openssl (1.1.1f-1ubuntu2.1) focal-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:52:44 -0500
Available diffs
openssl (1.1.1f-1ubuntu4.1) groovy-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:43:55 -0500
Available diffs
openssl (1.0.2g-1ubuntu4.18) xenial-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in crypto/x509v3/v3nametest.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 10:43:58 -0500
Available diffs
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
openssl (1.1.1f-1ubuntu4) groovy; urgency=medium
* Cherrypick upstream fix for non-interactive detection on Linux. LP:
#1879826
* Cherrypick AES CTR-DRGB: performance improvement LP: #1799928
* Skip services restart & reboot notification if needrestart is in-use
LP: #1895708
-- Dimitri John Ledkov <email address hidden> Tue, 15 Sep 2020 18:04:36 +0100
Available diffs
openssl (1.0.2g-1ubuntu4.17) xenial-security; urgency=medium
* SECURITY UPDATE: Raccoon Attack
- debian/patches/CVE-2020-1968.patch: disable ciphers that reuse the
DH secret across multiple TLS connections in ssl/s3_lib.c.
- CVE-2020-1968
-- Marc Deslauriers <email address hidden> Tue, 15 Sep 2020 14:13:51 -0400
Available diffs
openssl (1.1.1f-1ubuntu3) groovy; urgency=medium
* Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
-- Dimitri John Ledkov <email address hidden> Thu, 25 Jun 2020 14:18:43 +0100
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.6) bionic-security; urgency=medium
* SECURITY UPDATE: ECDSA remote timing attack
- debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or
zero cofactor, compute it in crypto/ec/ec_lib.c.
- CVE-2019-1547
* SECURITY UPDATE: Fork Protection
- debian/patches/CVE-2019-1549.patch: ensure fork-safety without using
a pthread_atfork handler in crypto/include/internal/rand_int.h,
crypto/init.c, crypto/rand/drbg_lib.c, crypto/rand/rand_lcl.h,
crypto/rand/rand_lib.c, crypto/threads_none.c,
crypto/threads_pthread.c, crypto/threads_win.c,
include/internal/cryptlib.h, test/drbgtest.c.
- CVE-2019-1549
* SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64
- debian/patches/CVE-2019-1551.patch: fix an overflow bug in
rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl.
- CVE-2019-1551
* SECURITY UPDATE: Padding Oracle issue
- debian/patches/CVE-2019-1563.patch: fix a padding oracle in
PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c,
crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c,
crypto/pkcs7/pk7_doit.c.
- CVE-2019-1563
-- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:15:54 -0400
Available diffs
openssl (1.0.2g-1ubuntu4.16) xenial-security; urgency=medium
* SECURITY UPDATE: ECDSA remote timing attack
- debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or
zero cofactor, compute it in crypto/ec/ec.h, crypto/ec/ec_err.c,
crypto/ec/ec_lib.c.
- CVE-2019-1547
* SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64
- debian/patches/CVE-2019-1551.patch: fix an overflow bug in
rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl.
- CVE-2019-1551
* SECURITY UPDATE: Padding Oracle issue
- debian/patches/CVE-2019-1563.patch: fix a padding oracle in
PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c,
crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c,
crypto/pkcs7/pk7_doit.c.
- CVE-2019-1563
-- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:17:49 -0400
Available diffs
openssl (1.1.1c-1ubuntu4.1) eoan-security; urgency=medium
* SECURITY UPDATE: ECDSA remote timing attack
- debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or
zero cofactor, compute it in crypto/ec/ec_lib.c.
- CVE-2019-1547
* SECURITY UPDATE: Fork Protection
- debian/patches/CVE-2019-1549.patch: ensure fork-safety without using
a pthread_atfork handler in crypto/include/internal/rand_int.h,
crypto/init.c, crypto/rand/drbg_lib.c, crypto/rand/rand_lcl.h,
crypto/rand/rand_lib.c, crypto/threads_none.c,
crypto/threads_pthread.c, crypto/threads_win.c,
include/internal/cryptlib.h, test/drbgtest.c.
- CVE-2019-1549
* SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64
- debian/patches/CVE-2019-1551.patch: fix an overflow bug in
rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl.
- CVE-2019-1551
* SECURITY UPDATE: Padding Oracle issue
- debian/patches/CVE-2019-1563.patch: fix a padding oracle in
PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c,
crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c,
crypto/pkcs7/pk7_doit.c.
- CVE-2019-1563
-- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:04:47 -0400
Available diffs
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
openssl (1.1.1f-1ubuntu2) focal; urgency=medium
* SECURITY UPDATE: Segmentation fault in SSL_check_chain
- debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in
test/recipes/70-test_sslsigalgs.t.
- debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in
SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c.
- debian/patches/CVE-2020-1967-3.patch: fix test in
test/recipes/70-test_sslsigalgs.t.
- debian/patches/CVE-2020-1967-4.patch: fix test in
test/recipes/70-test_sslsigalgs.t.
- CVE-2020-1967
-- Marc Deslauriers <email address hidden> Mon, 20 Apr 2020 07:53:50 -0400
Available diffs
openssl (1.1.1f-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
and ECC from master.
- Use perl:native in the autopkgtest for installability on i386.
- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
Available diffs
openssl (1.1.1d-2ubuntu6) focal; urgency=medium * Revert version number change to 1.1.1e-dev.
Available diffs
- diff from 1.1.1d-2ubuntu3 to 1.1.1d-2ubuntu6 (1.3 MiB)
- diff from 1.1.1d-2ubuntu5 to 1.1.1d-2ubuntu6 (909 bytes)
| Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu5) focal; urgency=medium * Revert version number change to 1.1.1e-dev.
Available diffs
- diff from 1.1.1d-2ubuntu4 to 1.1.1d-2ubuntu5 (871 bytes)
| Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu4) focal; urgency=medium * Apply 1_1_1-stable branch patches * Apply s390x ECC assembly pack improvements -- Dimitri John Ledkov <email address hidden> Wed, 26 Feb 2020 21:54:47 +0000
Available diffs
openssl (1.1.1d-2ubuntu3) focal; urgency=medium * Use perl:native in the autopkgtest for installability on i386.
Available diffs
- diff from 1.1.1c-1ubuntu4 to 1.1.1d-2ubuntu3 (220.5 KiB)
- diff from 1.1.1d-2ubuntu2 to 1.1.1d-2ubuntu3 (465 bytes)
| Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu2) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
from master.
* Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
below 1.2 and update documentation. Previous default of 1, can be set
by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
using ':@SECLEVEL=1' CipherString value in openssl.cfg.
-- Dimitri John Ledkov <email address hidden> Wed, 08 Jan 2020 17:17:41 +0000
Available diffs
- diff from 1.1.1d-2ubuntu1 to 1.1.1d-2ubuntu2 (14.1 KiB)
| Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
+ Bump version check to to 1.1.1.
+ Import libraries/restart-without-asking template as used by above.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Reword the NEWS entry, as applicable on Ubuntu.
- Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
from master.
* Set TLS 1.2 as compiled-in minimum protocol version for TLS
context. TLS 1.0 and 1.1 can be enabled again by calling
SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version(), or
setting MinProtocol in the openssl.cfg. LP: #1856428
* Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
level. Previous default of 1, can be set by calling
SSL_CTX_set_security_level(), SSL_set_security_level() or using
':@SECLEVEL=1' CipherString value in openssl.cfg.
Available diffs
- diff from 1.1.1c-1ubuntu4 to 1.1.1d-2ubuntu1 (227.8 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.5) bionic-security; urgency=medium
* debian/patches/OPENSSL_malloc_init_hang.patch: make
OPENSSL_malloc_init() a no-op to remove a potential infinite loop that
can occur in some situations, such as with MySQL 5.7 on s390x.
-- Marc Deslauriers <email address hidden> Tue, 12 Nov 2019 11:58:35 -0500
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
openssl (1.1.1c-1ubuntu4) eoan; urgency=medium
* Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20
from master. LP: #1736705 LP: #1736704
-- Dimitri John Ledkov <email address hidden> Tue, 20 Aug 2019 12:46:33 +0100
Available diffs
- diff from 1.1.1c-1ubuntu3 to 1.1.1c-1ubuntu4 (48.5 KiB)
| Superseded in bionic-security |
| Superseded in bionic-updates |
| Deleted in bionic-proposed (Reason: moved to -updates) |
openssl (1.1.1-1ubuntu2.1~18.04.4) bionic; urgency=medium
* Import libraries/restart-without-asking as used in postinst, to
prevent failure to configure the package without debconf database.
LP: #1832919
-- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:36:28 +0100
| Obsolete in cosmic-proposed |
openssl (1.1.1-1ubuntu2.5) cosmic; urgency=medium
* Import libraries/restart-without-asking as used in postinst, to
prevent failure to configure the package without debconf database.
LP: #1832919
-- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:34:53 +0100
Available diffs
openssl (1.1.1b-1ubuntu2.4) disco; urgency=medium
* Import libraries/restart-without-asking as used in postinst, to
prevent failure to configure the package without debconf database.
LP: #1832919
-- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:31:25 +0100
Available diffs
openssl (1.1.1c-1ubuntu3) eoan; urgency=medium
* Import libraries/restart-without-asking as used in postinst, to
prevent failure to configure the package without debconf database. LP:
#1832919
-- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 17:59:55 +0100
Available diffs
- diff from 1.1.1c-1ubuntu2 to 1.1.1c-1ubuntu3 (17.8 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.3) bionic; urgency=medium * Fix path to Xorg for reboot notifications on desktop. LP: #1832421 * Cherrypick upstream fix to allow succesful init of libssl and libcrypto using separate calls with different options. LP: #1832659 -- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:50:28 +0100
| Superseded in cosmic-proposed |
openssl (1.1.1-1ubuntu2.4) cosmic; urgency=medium
* Bump major version of OpenSSL in postinst to trigger services restart
upon upgrade. Many services listed there must be restarted when
upgrading 1.1.0 to 1.1.1. LP: #1832522
* Fix path to Xorg for reboot notifications on desktop. LP: #1832421
* Cherrypick upstream fix to allow succesful init of libssl and
libcrypto using separate calls with different options. LP: #1832659
-- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:27:38 +0100
| Superseded in disco-proposed |
openssl (1.1.1b-1ubuntu2.3) disco; urgency=medium
* Bump major version of OpenSSL in postinst to trigger services restart
upon upgrade. Many services listed there must be restarted when
upgrading 1.1.0 to 1.1.1. LP: #1832522
* Fix path to Xorg for reboot notifications on desktop. LP: #1832421
-- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:02:34 +0100
Available diffs
- diff from 1.1.1b-1ubuntu2.2 to 1.1.1b-1ubuntu2.3 (998 bytes)
openssl (1.1.1c-1ubuntu2) eoan; urgency=medium
* Bump major version of OpenSSL in postinst to trigger services restart
upon upgrade. Many services listed there must be restarted when
upgrading 1.1.0 to 1.1.1. LP: #1832522
* Fix path to Xorg for reboot notifications on desktop. LP: #1832421
-- Dimitri John Ledkov <email address hidden> Thu, 13 Jun 2019 15:29:07 +0100
Available diffs
- diff from 1.1.1b-2ubuntu1 to 1.1.1c-1ubuntu2 (759.1 KiB)
- diff from 1.1.1c-1ubuntu1 to 1.1.1c-1ubuntu2 (981 bytes)
openssl (1.1.1-1ubuntu2.1~18.04.2) bionic; urgency=medium
* Cherrypick upstream patch to fix ca -spkac output to be text again.
LP: #1828215
* Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
CVE-2019-1543
* Bump major version of OpenSSL in postinst to trigger services restart
upon upgrade. Many services listed there must be restarted when
upgrading 1.1.0 to 1.1.1. LP: #1832522
-- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:12:47 +0100
| Superseded in cosmic-proposed |
openssl (1.1.1-1ubuntu2.3) cosmic; urgency=medium
* Cherrypick upstream patch to fix ca -spkac output to be text again.
LP: #1828215
* Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
CVE-2019-1543
-- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:09:23 +0100
Available diffs
| Superseded in disco-proposed |
openssl (1.1.1b-1ubuntu2.2) disco; urgency=medium
* Cherrypick upstream patch to fix ca -spkac output to be text again.
LP: #1828215
* Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
CVE-2019-1543
-- Dimitri John Ledkov <email address hidden> Tue, 11 Jun 2019 23:35:36 +0100
Available diffs
| Superseded in eoan-proposed |
openssl (1.1.1c-1ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Drop the NEWS entry, not applicable on Ubuntu.
* Cherrypick upstream patch to fix ca -spkac output to be text again
LP: #1828215
Available diffs
- diff from 1.1.1b-2ubuntu1 to 1.1.1c-1ubuntu1 (758.5 KiB)
openssl (1.1.1b-1ubuntu2.1) disco; urgency=medium * SRU the below two regressions fixes from Debian LP: #1825212 - Fix BUF_MEM regression (Closes: #923516) - Fix error when config can't be opened (Closes: #926315) -- Dimitri John Ledkov <email address hidden> Wed, 17 Apr 2019 17:50:04 +0100
Available diffs
openssl (1.1.1b-2ubuntu1) devel; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Drop the NEWS entry, not applicable on Ubuntu.
Available diffs
openssl (1.1.1-1ubuntu2.2) cosmic; urgency=medium
* debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use
OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898
* Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch
to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984
-- Dimitri John Ledkov <email address hidden> Wed, 03 Apr 2019 20:37:01 +0100
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.1) bionic; urgency=medium * Backport OpenSSL 1.1.1 to 18.04 LTS. LP: #1797386 * Adjust Breaks on versions published in bionic-release.
Available diffs
- diff from 1.1.0g-2ubuntu4.3 (in ~ubuntu-security-proposed/ubuntu/ppa) to 1.1.1-1ubuntu2.1~18.04.1 (6.1 MiB)
- diff from 1.1.0g-2ubuntu4 (in Ubuntu) to 1.1.1-1ubuntu2.1~18.04.1 (6.0 MiB)
- diff from 1.1.1-1ubuntu2.1~18.04.0 (in ~ci-train-ppa-service/ubuntu/3473-deletedppa) to 1.1.1-1ubuntu2.1~18.04.1 (1.1 KiB)
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
openssl (1.1.1b-1ubuntu2) disco; urgency=medium
* debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use
OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898
* Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch
to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984
-- Dimitri John Ledkov <email address hidden> Wed, 03 Apr 2019 11:50:23 +0100
Available diffs
openssl (1.1.1b-1ubuntu1) disco; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
openssl 1.0.2.
- Drop the NEWS entry, not applicable on Ubuntu.
Available diffs
- diff from 1.1.1a-1ubuntu2 to 1.1.1b-1ubuntu1 (145.6 KiB)
openssl (1.0.2g-1ubuntu4.15) xenial-security; urgency=medium
* SECURITY UPDATE: 0-byte record padding oracle
- debian/patches/CVE-2019-1559.patch: go into the error state if a
fatal alert is sent or received in ssl/d1_pkt.c, ssl/s3_pkt.c.
- CVE-2019-1559
-- Marc Deslauriers <email address hidden> Tue, 26 Feb 2019 13:16:01 -0500
Available diffs
openssl (1.1.0g-2ubuntu4.3) bionic-security; urgency=medium
* SECURITY UPDATE: PortSmash side channel attack
- debian/patches/CVE-2018-5407-*.patch: add large number of upstream
commits to resolve this issue.
- CVE-2018-5407
* SECURITY UPDATE: timing side channel attack in DSA
- debian/patches/CVE-2018-0734-1.patch: fix mod inverse in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-2.patch: fix timing vulnerability in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
crypto/dsa/dsa_ossl.c.
- CVE-2018-0734
* SECURITY UPDATE: timing side channel attack in ECDSA
- debian/patches/CVE-2018-0735-1.patch: fix timing vulberability in
crypto/ec/ec_mult.c.
- debian/patches/CVE-2018-0735-2.patch: remove brace from bad
cherry-pick in crypto/ec/ec_mult.c.
- CVE-2018-0735
-- Marc Deslauriers <email address hidden> Wed, 05 Dec 2018 10:59:52 -0500
Available diffs
openssl (1.0.1f-1ubuntu2.27) trusty-security; urgency=medium
* SECURITY UPDATE: PortSmash side channel attack
- debian/patches/CVE-2018-5407.patch: fix timing vulnerability in
crypto/bn/bn_lib.c, crypto/ec/ec_mult.c.
- CVE-2018-5407
* SECURITY UPDATE: timing side channel attack in DSA
- debian/patches/CVE-2018-0734-pre1.patch: address a timing side
channel in crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-2.patch: fix mod inverse in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
crypto/dsa/dsa_ossl.c.
- CVE-2018-0734
-- Marc Deslauriers <email address hidden> Tue, 04 Dec 2018 10:36:19 -0500
Available diffs
| 76 → 150 of 481 results | First • Previous • Next • Last |
