Change log for openssl package in Ubuntu
76 → 150 of 481 results | First • Previous • Next • Last |
openssl (1.1.1-1ubuntu2.1~18.04.14) bionic; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:50:16 +0100
openssl (1.1.1f-1ubuntu2.10) focal; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:20:48 +0100
Available diffs
openssl (1.1.1j-1ubuntu3.6) hirsute; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 11:32:57 +0100
Available diffs
openssl (1.1.1l-1ubuntu1.1) impish; urgency=medium * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) -- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 10:53:29 +0100
Available diffs
openssl (3.0.0-1ubuntu1) jammy; urgency=medium * Manual merge of version 3.0.0-1 from Debian experimental, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Add support for building with noudeb build profile. * d/p/Don-t-create-an-ECX-key-with-short-keys.patch: Backported from upstream to fix a regression with short keys (LP: #1946213) * d/p/Add-null-digest-implementation-to-the-default-provid.patch: Backported from upstream to fix a compatibility issue with 1.1.1l * Manually call dh_installdirs to fix build failure * Drop some Ubuntu patches merged upstream + The s390x series (00xx) has been applied upstream + The lp-1927161 Intel CET series has been applied upstream + CVE-2021-3449 has been fixed upstream + CVE-2021-3450 doesn't apply to 3.0 branch * Refresh and adapt the remaining patches
Available diffs
- diff from 1.1.1l-1ubuntu1 to 3.0.0-1ubuntu1 (12.7 MiB)
Superseded in jammy-release |
Obsolete in impish-release |
Deleted in impish-proposed (Reason: Moved to impish) |
openssl (1.1.1l-1ubuntu1) impish; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. - Add support for building with noudeb build profile. * Dropped changes: - Cherry-pick an upstream patch to fix s390x AES code
Available diffs
- diff from 1.1.1k-1ubuntu1 to 1.1.1l-1ubuntu1 (47.9 KiB)
openssl (1.1.1f-1ubuntu2.9) focal; urgency=medium * Cherry-pick stable patches to fix potential use-after-free. LP: #1940656 -- Dimitri John Ledkov <email address hidden> Wed, 25 Aug 2021 02:13:44 +0100
Available diffs
openssl (1.1.1j-1ubuntu3.5) hirsute-security; urgency=medium * SECURITY UPDATE: SM2 Decryption Buffer Overflow - debian/patches/CVE-2021-3711-1.patch: correctly calculate the length of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c, crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h, test/sm2_internal_test.c. - debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption in test/recipes/30-test_evp_data/evppkey.txt. - debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c. - CVE-2021-3711 * SECURITY UPDATE: Read buffer overrun in X509_aux_print() - debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in X509_aux_print() in crypto/x509/t_x509.c. - debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_alt.c, crypto/x509v3/v3_utl.c, include/crypto/x509.h. - debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not assume NUL terminated strings in crypto/x509v3/v3_cpols.c. - debian/patches/CVE-2021-3712-4.patch: fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in crypto/x509v3/v3_pci.c. - debian/patches/CVE-2021-3712-5.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL terminated strings in test/x509_time_test.c. - debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print function to not assume NUL terminated strings in crypto/asn1/t_spki.c. - debian/patches/CVE-2021-3712-9.patch: fix EC_GROUP_new_from_ecparameters to check the base length in crypto/ec/ec_asn1.c. - debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-11.patch: fix the error handling in i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c. - debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-13.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - CVE-2021-3712 -- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.13) bionic-security; urgency=medium * SECURITY UPDATE: SM2 Decryption Buffer Overflow - debian/patches/CVE-2021-3711-1.patch: correctly calculate the length of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c, crypto/sm2/sm2_pmeth.c, crypto/include/internal/sm2.h, test/sm2_internal_test.c. - debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption in test/recipes/30-test_evp_data/evppkey.txt. - debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c. - CVE-2021-3711 * SECURITY UPDATE: Read buffer overrun in X509_aux_print() - debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in X509_aux_print() in crypto/x509/t_x509.c. - debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_alt.c, crypto/x509v3/v3_utl.c, crypto/include/internal/x509_int.h. - debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not assume NUL terminated strings in crypto/x509v3/v3_cpols.c. - debian/patches/CVE-2021-3712-4.patch: fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in crypto/x509v3/v3_pci.c. - debian/patches/CVE-2021-3712-5.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL terminated strings in test/x509_time_test.c. - debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print function to not assume NUL terminated strings in crypto/asn1/t_spki.c. - debian/patches/CVE-2021-3712-9.patch: fix EC_GROUP_new_from_ecparameters to check the base length in crypto/ec/ec_asn1.c. - debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-11.patch: fix the error handling in i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c. - debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-13.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - CVE-2021-3712 -- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
openssl (1.1.1f-1ubuntu2.8) focal-security; urgency=medium * SECURITY UPDATE: SM2 Decryption Buffer Overflow - debian/patches/CVE-2021-3711-1.patch: correctly calculate the length of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c, crypto/sm2/sm2_pmeth.c, include/crypto/sm2.h, test/sm2_internal_test.c. - debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption in test/recipes/30-test_evp_data/evppkey.txt. - debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c. - CVE-2021-3711 * SECURITY UPDATE: Read buffer overrun in X509_aux_print() - debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in X509_aux_print() in crypto/x509/t_x509.c. - debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_alt.c, crypto/x509v3/v3_utl.c, include/crypto/x509.h. - debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not assume NUL terminated strings in crypto/x509v3/v3_cpols.c. - debian/patches/CVE-2021-3712-4.patch: fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in crypto/x509v3/v3_pci.c. - debian/patches/CVE-2021-3712-5.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL terminated strings in test/x509_time_test.c. - debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print function to not assume NUL terminated strings in crypto/asn1/t_spki.c. - debian/patches/CVE-2021-3712-9.patch: fix EC_GROUP_new_from_ecparameters to check the base length in crypto/ec/ec_asn1.c. - debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-11.patch: fix the error handling in i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c. - debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect string overruns in crypto/asn1/asn1_lib.c. - debian/patches/CVE-2021-3712-13.patch: fix the name constraints code to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c. - debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not assume NUL terminated strings in crypto/x509v3/v3_utl.c. - CVE-2021-3712 -- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
Available diffs
openssl (1.1.1k-1ubuntu1) impish; urgency=low * Merge from Debian unstable (LP: #1939544). Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. - Add support for building with noudeb build profile. * Dropped changes, superseded upstream: - SECURITY UPDATE: NULL pointer deref in signature_algorithms processing -> CVE-2021-3449 - SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT -> CVE-2021-3450
Available diffs
- diff from 1.1.1j-1ubuntu5 to 1.1.1k-1ubuntu1 (14.6 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.10) bionic; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
openssl (1.1.1f-1ubuntu2.5) focal; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
Available diffs
openssl (1.1.1j-1ubuntu3.2) hirsute; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
Available diffs
openssl (1.1.1j-1ubuntu5) impish; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) -- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
Available diffs
Published in xenial-security |
Published in xenial-updates |
Deleted in xenial-proposed (Reason: moved to -updates) |
openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium * Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt connection with the default chain remains trusted even after the expiry of the redundant CA certificate. LP: #1928989 -- Dimitri John Ledkov <email address hidden> Mon, 28 Jun 2021 14:05:36 +0100
Available diffs
openssl (1.1.1f-1ubuntu2.4) focal; urgency=medium * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch -- Matthew Ruffell <email address hidden> Wed, 28 Apr 2021 12:37:28 +1200
Available diffs
openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:13:30 +1200
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1j-1ubuntu3.1) hirsute; urgency=medium * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:00:54 +1200
Available diffs
openssl (1.1.1j-1ubuntu4) impish; urgency=medium * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 11:49:27 +1200
Available diffs
Superseded in impish-release |
Obsolete in hirsute-release |
Deleted in hirsute-proposed (Reason: Moved to hirsute) |
openssl (1.1.1j-1ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 * SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT - debian/patches/CVE-2021-3450-1.patch: do not override error return value by check_curve in crypto/x509/x509_vfy.c, test/verify_extra_test.c. - debian/patches/CVE-2021-3450-2.patch: fix return code check in crypto/x509/x509_vfy.c. - CVE-2021-3450 -- Marc Deslauriers <email address hidden> Thu, 25 Mar 2021 11:44:30 -0400
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1j-1ubuntu2) hirsute; urgency=medium * No-change upload to pick up lto. -- Matthias Klose <email address hidden> Tue, 23 Mar 2021 15:24:20 +0100
Available diffs
- diff from 1.1.1j-1ubuntu1 to 1.1.1j-1ubuntu2 (320 bytes)
openssl (1.1.1-1ubuntu2.1~18.04.9) bionic-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:42:42 -0400
openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:37:17 -0400
Available diffs
openssl (1.1.1f-1ubuntu4.3) groovy-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:33:17 -0400
Available diffs
openssl (1.1.1j-1ubuntu1) hirsute; urgency=medium * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. * Add support for building with noudeb build profile.
Available diffs
- diff from 1.1.1f-1ubuntu5 to 1.1.1j-1ubuntu1 (182.8 KiB)
- diff from 1.1.1i-3ubuntu2 to 1.1.1j-1ubuntu1 (37.3 KiB)
openssl (1.0.1-4ubuntu5.45) precise-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/DirectoryString-is-a-CHOICE-type-and-therefore-uses-expli.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/Check-that-multi-strings-CHOICE-types-don-t-use-implicit-.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. - debian/patches/Complain-if-we-are-attempting-to-encode-with-an-invalid-A.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. - CVE-2020-1971 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Avital Ostromich <email address hidden> Fri, 19 Feb 2021 17:38:20 -0500
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1i-3ubuntu2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. -- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:35:47 +0100
Available diffs
- diff from 1.1.1i-3ubuntu1 to 1.1.1i-3ubuntu2 (331 bytes)
openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in crypto/evp/evp_err.c, crypto/evp/evp.h. - debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in crypto/evp/evp_err.c, crypto/evp/evp.h. - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/evp/evp_enc.c, crypto/evp/evp_err.c, crypto/evp/evp.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 08:14:40 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.8) bionic-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840-pre1.patch: add a new EVP error code in crypto/err/openssl.txt, crypto/evp/evp_err.c, include/openssl/evperr.h. - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/err/openssl.txt, crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
openssl (1.1.1f-1ubuntu4.2) groovy-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/err/openssl.txt, crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:32:55 -0500
Available diffs
openssl (1.1.1f-1ubuntu2.2) focal-security; urgency=medium * SECURITY UPDATE: Integer overflow in CipherUpdate - debian/patches/CVE-2021-23840.patch: don't overflow the output length in EVP_CipherUpdate calls in crypto/err/openssl.txt, crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h. - CVE-2021-23840 * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in crypto/x509/x509_cmp.c. - CVE-2021-23841 -- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
Available diffs
Superseded in hirsute-proposed |
openssl (1.1.1i-3ubuntu1) hirsute; urgency=medium * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers, unless needrestart is available. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Skip services restart & reboot notification if needrestart is in-use. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. - Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. * Drop many patches included upstream.
Available diffs
- diff from 1.1.1f-1ubuntu5 to 1.1.1i-3ubuntu1 (171.0 KiB)
openssl (1.1.1f-1ubuntu5) hirsute; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Tue, 08 Dec 2020 12:33:52 -0500
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.7) bionic-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:54:45 -0500
openssl (1.1.1f-1ubuntu2.1) focal-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:52:44 -0500
Available diffs
openssl (1.1.1f-1ubuntu4.1) groovy-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/err/openssl.txt, include/openssl/asn1err.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in test/v3nametest.c. - debian/patches/CVE-2020-1971-6.patch: add a test for encoding/decoding using an invalid ASN.1 Template in test/asn1_decode_test.c, test/asn1_encode_test.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:43:55 -0500
Available diffs
openssl (1.0.2g-1ubuntu4.18) xenial-security; urgency=medium * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for DirectoryString in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName in crypto/x509v3/v3_genn.c. - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE types don't use implicit tagging in crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp in crypto/x509v3/v3nametest.c. - CVE-2020-1971 -- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 10:43:58 -0500
Available diffs
Superseded in hirsute-release |
Obsolete in groovy-release |
Deleted in groovy-proposed (Reason: moved to Release) |
openssl (1.1.1f-1ubuntu4) groovy; urgency=medium * Cherrypick upstream fix for non-interactive detection on Linux. LP: #1879826 * Cherrypick AES CTR-DRGB: performance improvement LP: #1799928 * Skip services restart & reboot notification if needrestart is in-use LP: #1895708 -- Dimitri John Ledkov <email address hidden> Tue, 15 Sep 2020 18:04:36 +0100
Available diffs
openssl (1.0.2g-1ubuntu4.17) xenial-security; urgency=medium * SECURITY UPDATE: Raccoon Attack - debian/patches/CVE-2020-1968.patch: disable ciphers that reuse the DH secret across multiple TLS connections in ssl/s3_lib.c. - CVE-2020-1968 -- Marc Deslauriers <email address hidden> Tue, 15 Sep 2020 14:13:51 -0400
Available diffs
openssl (1.1.1f-1ubuntu3) groovy; urgency=medium * Import https://github.com/openssl/openssl/pull/12272.patch to enable CET. -- Dimitri John Ledkov <email address hidden> Thu, 25 Jun 2020 14:18:43 +0100
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.6) bionic-security; urgency=medium * SECURITY UPDATE: ECDSA remote timing attack - debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or zero cofactor, compute it in crypto/ec/ec_lib.c. - CVE-2019-1547 * SECURITY UPDATE: Fork Protection - debian/patches/CVE-2019-1549.patch: ensure fork-safety without using a pthread_atfork handler in crypto/include/internal/rand_int.h, crypto/init.c, crypto/rand/drbg_lib.c, crypto/rand/rand_lcl.h, crypto/rand/rand_lib.c, crypto/threads_none.c, crypto/threads_pthread.c, crypto/threads_win.c, include/internal/cryptlib.h, test/drbgtest.c. - CVE-2019-1549 * SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64 - debian/patches/CVE-2019-1551.patch: fix an overflow bug in rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl. - CVE-2019-1551 * SECURITY UPDATE: Padding Oracle issue - debian/patches/CVE-2019-1563.patch: fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c, crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c, crypto/pkcs7/pk7_doit.c. - CVE-2019-1563 -- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:15:54 -0400
Available diffs
openssl (1.0.2g-1ubuntu4.16) xenial-security; urgency=medium * SECURITY UPDATE: ECDSA remote timing attack - debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or zero cofactor, compute it in crypto/ec/ec.h, crypto/ec/ec_err.c, crypto/ec/ec_lib.c. - CVE-2019-1547 * SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64 - debian/patches/CVE-2019-1551.patch: fix an overflow bug in rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl. - CVE-2019-1551 * SECURITY UPDATE: Padding Oracle issue - debian/patches/CVE-2019-1563.patch: fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c, crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c, crypto/pkcs7/pk7_doit.c. - CVE-2019-1563 -- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:17:49 -0400
Available diffs
openssl (1.1.1c-1ubuntu4.1) eoan-security; urgency=medium * SECURITY UPDATE: ECDSA remote timing attack - debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or zero cofactor, compute it in crypto/ec/ec_lib.c. - CVE-2019-1547 * SECURITY UPDATE: Fork Protection - debian/patches/CVE-2019-1549.patch: ensure fork-safety without using a pthread_atfork handler in crypto/include/internal/rand_int.h, crypto/init.c, crypto/rand/drbg_lib.c, crypto/rand/rand_lcl.h, crypto/rand/rand_lib.c, crypto/threads_none.c, crypto/threads_pthread.c, crypto/threads_win.c, include/internal/cryptlib.h, test/drbgtest.c. - CVE-2019-1549 * SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64 - debian/patches/CVE-2019-1551.patch: fix an overflow bug in rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl. - CVE-2019-1551 * SECURITY UPDATE: Padding Oracle issue - debian/patches/CVE-2019-1563.patch: fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c, crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c, crypto/pkcs7/pk7_doit.c. - CVE-2019-1563 -- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:04:47 -0400
Available diffs
Superseded in groovy-release |
Published in focal-release |
Deleted in focal-proposed (Reason: moved to Release) |
openssl (1.1.1f-1ubuntu2) focal; urgency=medium * SECURITY UPDATE: Segmentation fault in SSL_check_chain - debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in test/recipes/70-test_sslsigalgs.t. - debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c. - debian/patches/CVE-2020-1967-3.patch: fix test in test/recipes/70-test_sslsigalgs.t. - debian/patches/CVE-2020-1967-4.patch: fix test in test/recipes/70-test_sslsigalgs.t. - CVE-2020-1967 -- Marc Deslauriers <email address hidden> Mon, 20 Apr 2020 07:53:50 -0400
Available diffs
openssl (1.1.1f-1ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 and ECC from master. - Use perl:native in the autopkgtest for installability on i386. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg.
Available diffs
openssl (1.1.1d-2ubuntu6) focal; urgency=medium * Revert version number change to 1.1.1e-dev.
Available diffs
- diff from 1.1.1d-2ubuntu3 to 1.1.1d-2ubuntu6 (1.3 MiB)
- diff from 1.1.1d-2ubuntu5 to 1.1.1d-2ubuntu6 (909 bytes)
Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu5) focal; urgency=medium * Revert version number change to 1.1.1e-dev.
Available diffs
- diff from 1.1.1d-2ubuntu4 to 1.1.1d-2ubuntu5 (871 bytes)
Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu4) focal; urgency=medium * Apply 1_1_1-stable branch patches * Apply s390x ECC assembly pack improvements -- Dimitri John Ledkov <email address hidden> Wed, 26 Feb 2020 21:54:47 +0000
Available diffs
openssl (1.1.1d-2ubuntu3) focal; urgency=medium * Use perl:native in the autopkgtest for installability on i386.
Available diffs
- diff from 1.1.1c-1ubuntu4 to 1.1.1d-2ubuntu3 (220.5 KiB)
- diff from 1.1.1d-2ubuntu2 to 1.1.1d-2ubuntu3 (465 bytes)
Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu2) focal; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 from master. * Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions below 1.2 and update documentation. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg. -- Dimitri John Ledkov <email address hidden> Wed, 08 Jan 2020 17:17:41 +0000
Available diffs
- diff from 1.1.1d-2ubuntu1 to 1.1.1d-2ubuntu2 (14.1 KiB)
Superseded in focal-proposed |
openssl (1.1.1d-2ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. + Bump version check to to 1.1.1. + Import libraries/restart-without-asking template as used by above. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Reword the NEWS entry, as applicable on Ubuntu. - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 from master. * Set TLS 1.2 as compiled-in minimum protocol version for TLS context. TLS 1.0 and 1.1 can be enabled again by calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version(), or setting MinProtocol in the openssl.cfg. LP: #1856428 * Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security level. Previous default of 1, can be set by calling SSL_CTX_set_security_level(), SSL_set_security_level() or using ':@SECLEVEL=1' CipherString value in openssl.cfg.
Available diffs
- diff from 1.1.1c-1ubuntu4 to 1.1.1d-2ubuntu1 (227.8 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.5) bionic-security; urgency=medium * debian/patches/OPENSSL_malloc_init_hang.patch: make OPENSSL_malloc_init() a no-op to remove a potential infinite loop that can occur in some situations, such as with MySQL 5.7 on s390x. -- Marc Deslauriers <email address hidden> Tue, 12 Nov 2019 11:58:35 -0500
Superseded in focal-release |
Obsolete in eoan-release |
Deleted in eoan-proposed (Reason: moved to release) |
openssl (1.1.1c-1ubuntu4) eoan; urgency=medium * Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 from master. LP: #1736705 LP: #1736704 -- Dimitri John Ledkov <email address hidden> Tue, 20 Aug 2019 12:46:33 +0100
Available diffs
- diff from 1.1.1c-1ubuntu3 to 1.1.1c-1ubuntu4 (48.5 KiB)
Superseded in bionic-security |
Superseded in bionic-updates |
Deleted in bionic-proposed (Reason: moved to -updates) |
openssl (1.1.1-1ubuntu2.1~18.04.4) bionic; urgency=medium * Import libraries/restart-without-asking as used in postinst, to prevent failure to configure the package without debconf database. LP: #1832919 -- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:36:28 +0100
Obsolete in cosmic-proposed |
openssl (1.1.1-1ubuntu2.5) cosmic; urgency=medium * Import libraries/restart-without-asking as used in postinst, to prevent failure to configure the package without debconf database. LP: #1832919 -- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:34:53 +0100
Available diffs
openssl (1.1.1b-1ubuntu2.4) disco; urgency=medium * Import libraries/restart-without-asking as used in postinst, to prevent failure to configure the package without debconf database. LP: #1832919 -- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:31:25 +0100
Available diffs
openssl (1.1.1c-1ubuntu3) eoan; urgency=medium * Import libraries/restart-without-asking as used in postinst, to prevent failure to configure the package without debconf database. LP: #1832919 -- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 17:59:55 +0100
Available diffs
- diff from 1.1.1c-1ubuntu2 to 1.1.1c-1ubuntu3 (17.8 KiB)
openssl (1.1.1-1ubuntu2.1~18.04.3) bionic; urgency=medium * Fix path to Xorg for reboot notifications on desktop. LP: #1832421 * Cherrypick upstream fix to allow succesful init of libssl and libcrypto using separate calls with different options. LP: #1832659 -- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:50:28 +0100
Superseded in cosmic-proposed |
openssl (1.1.1-1ubuntu2.4) cosmic; urgency=medium * Bump major version of OpenSSL in postinst to trigger services restart upon upgrade. Many services listed there must be restarted when upgrading 1.1.0 to 1.1.1. LP: #1832522 * Fix path to Xorg for reboot notifications on desktop. LP: #1832421 * Cherrypick upstream fix to allow succesful init of libssl and libcrypto using separate calls with different options. LP: #1832659 -- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:27:38 +0100
Superseded in disco-proposed |
openssl (1.1.1b-1ubuntu2.3) disco; urgency=medium * Bump major version of OpenSSL in postinst to trigger services restart upon upgrade. Many services listed there must be restarted when upgrading 1.1.0 to 1.1.1. LP: #1832522 * Fix path to Xorg for reboot notifications on desktop. LP: #1832421 -- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:02:34 +0100
Available diffs
- diff from 1.1.1b-1ubuntu2.2 to 1.1.1b-1ubuntu2.3 (998 bytes)
openssl (1.1.1c-1ubuntu2) eoan; urgency=medium * Bump major version of OpenSSL in postinst to trigger services restart upon upgrade. Many services listed there must be restarted when upgrading 1.1.0 to 1.1.1. LP: #1832522 * Fix path to Xorg for reboot notifications on desktop. LP: #1832421 -- Dimitri John Ledkov <email address hidden> Thu, 13 Jun 2019 15:29:07 +0100
Available diffs
- diff from 1.1.1b-2ubuntu1 to 1.1.1c-1ubuntu2 (759.1 KiB)
- diff from 1.1.1c-1ubuntu1 to 1.1.1c-1ubuntu2 (981 bytes)
openssl (1.1.1-1ubuntu2.1~18.04.2) bionic; urgency=medium * Cherrypick upstream patch to fix ca -spkac output to be text again. LP: #1828215 * Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305 CVE-2019-1543 * Bump major version of OpenSSL in postinst to trigger services restart upon upgrade. Many services listed there must be restarted when upgrading 1.1.0 to 1.1.1. LP: #1832522 -- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:12:47 +0100
Superseded in cosmic-proposed |
openssl (1.1.1-1ubuntu2.3) cosmic; urgency=medium * Cherrypick upstream patch to fix ca -spkac output to be text again. LP: #1828215 * Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305 CVE-2019-1543 -- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:09:23 +0100
Available diffs
Superseded in disco-proposed |
openssl (1.1.1b-1ubuntu2.2) disco; urgency=medium * Cherrypick upstream patch to fix ca -spkac output to be text again. LP: #1828215 * Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305 CVE-2019-1543 -- Dimitri John Ledkov <email address hidden> Tue, 11 Jun 2019 23:35:36 +0100
Available diffs
Superseded in eoan-proposed |
openssl (1.1.1c-1ubuntu1) eoan; urgency=low * Merge from Debian unstable. Remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Drop the NEWS entry, not applicable on Ubuntu. * Cherrypick upstream patch to fix ca -spkac output to be text again LP: #1828215
Available diffs
- diff from 1.1.1b-2ubuntu1 to 1.1.1c-1ubuntu1 (758.5 KiB)
openssl (1.1.1b-1ubuntu2.1) disco; urgency=medium * SRU the below two regressions fixes from Debian LP: #1825212 - Fix BUF_MEM regression (Closes: #923516) - Fix error when config can't be opened (Closes: #926315) -- Dimitri John Ledkov <email address hidden> Wed, 17 Apr 2019 17:50:04 +0100
Available diffs
openssl (1.1.1b-2ubuntu1) devel; urgency=medium * Merge from Debian unstable, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Drop the NEWS entry, not applicable on Ubuntu.
Available diffs
openssl (1.1.1-1ubuntu2.2) cosmic; urgency=medium * debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898 * Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984 -- Dimitri John Ledkov <email address hidden> Wed, 03 Apr 2019 20:37:01 +0100
Available diffs
openssl (1.1.1-1ubuntu2.1~18.04.1) bionic; urgency=medium * Backport OpenSSL 1.1.1 to 18.04 LTS. LP: #1797386 * Adjust Breaks on versions published in bionic-release.
Available diffs
- diff from 1.1.0g-2ubuntu4.3 (in ~ubuntu-security-proposed/ubuntu/ppa) to 1.1.1-1ubuntu2.1~18.04.1 (6.1 MiB)
- diff from 1.1.0g-2ubuntu4 (in Ubuntu) to 1.1.1-1ubuntu2.1~18.04.1 (6.0 MiB)
- diff from 1.1.1-1ubuntu2.1~18.04.0 (in ~ci-train-ppa-service/ubuntu/3473-deletedppa) to 1.1.1-1ubuntu2.1~18.04.1 (1.1 KiB)
Superseded in eoan-release |
Obsolete in disco-release |
Deleted in disco-proposed (Reason: moved to release) |
openssl (1.1.1b-1ubuntu2) disco; urgency=medium * debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898 * Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984 -- Dimitri John Ledkov <email address hidden> Wed, 03 Apr 2019 11:50:23 +0100
Available diffs
openssl (1.1.1b-1ubuntu1) disco; urgency=medium * Merge from Debian unstable, remaining changes: - Replace duplicate files in the doc directory with symlinks. - debian/libssl1.1.postinst: + Display a system restart required notification on libssl1.1 upgrade on servers. + Use a different priority for libssl1.1/restart-services depending on whether a desktop, or server dist-upgrade is being performed. - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Further decrease security level from 1 to 0, for compatibility with openssl 1.0.2. - Drop the NEWS entry, not applicable on Ubuntu.
Available diffs
- diff from 1.1.1a-1ubuntu2 to 1.1.1b-1ubuntu1 (145.6 KiB)
openssl (1.0.2g-1ubuntu4.15) xenial-security; urgency=medium * SECURITY UPDATE: 0-byte record padding oracle - debian/patches/CVE-2019-1559.patch: go into the error state if a fatal alert is sent or received in ssl/d1_pkt.c, ssl/s3_pkt.c. - CVE-2019-1559 -- Marc Deslauriers <email address hidden> Tue, 26 Feb 2019 13:16:01 -0500
Available diffs
openssl (1.1.0g-2ubuntu4.3) bionic-security; urgency=medium * SECURITY UPDATE: PortSmash side channel attack - debian/patches/CVE-2018-5407-*.patch: add large number of upstream commits to resolve this issue. - CVE-2018-5407 * SECURITY UPDATE: timing side channel attack in DSA - debian/patches/CVE-2018-0734-1.patch: fix mod inverse in crypto/dsa/dsa_ossl.c. - debian/patches/CVE-2018-0734-2.patch: fix timing vulnerability in crypto/dsa/dsa_ossl.c. - debian/patches/CVE-2018-0734-3.patch: add a constant time flag in crypto/dsa/dsa_ossl.c. - CVE-2018-0734 * SECURITY UPDATE: timing side channel attack in ECDSA - debian/patches/CVE-2018-0735-1.patch: fix timing vulberability in crypto/ec/ec_mult.c. - debian/patches/CVE-2018-0735-2.patch: remove brace from bad cherry-pick in crypto/ec/ec_mult.c. - CVE-2018-0735 -- Marc Deslauriers <email address hidden> Wed, 05 Dec 2018 10:59:52 -0500
Available diffs
openssl (1.0.1f-1ubuntu2.27) trusty-security; urgency=medium * SECURITY UPDATE: PortSmash side channel attack - debian/patches/CVE-2018-5407.patch: fix timing vulnerability in crypto/bn/bn_lib.c, crypto/ec/ec_mult.c. - CVE-2018-5407 * SECURITY UPDATE: timing side channel attack in DSA - debian/patches/CVE-2018-0734-pre1.patch: address a timing side channel in crypto/dsa/dsa_ossl.c. - debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in crypto/dsa/dsa_ossl.c. - debian/patches/CVE-2018-0734-2.patch: fix mod inverse in crypto/dsa/dsa_ossl.c. - debian/patches/CVE-2018-0734-3.patch: add a constant time flag in crypto/dsa/dsa_ossl.c. - CVE-2018-0734 -- Marc Deslauriers <email address hidden> Tue, 04 Dec 2018 10:36:19 -0500
Available diffs
76 → 150 of 481 results | First • Previous • Next • Last |