-
openssl (1.1.1-1ubuntu2.1~18.04.23) bionic-security; urgency=medium
* SECURITY UPDATE: Possible DoS translating ASN.1 object identifiers
- debian/patches/CVE-2023-2650.patch: restrict the size of OBJECT
IDENTIFIERs that OBJ_obj2txt will translate in
crypto/objects/obj_dat.c.
- CVE-2023-2650
* Replace CVE-2022-4304 fix with improved version
- debian/patches/CVE-2022-4304.patch: remove previous fix.
- debian/patches/CVE-2022-4304-1.patch: use alternative fix in
crypto/bn/bn_asm.c, crypto/bn/bn_blind.c, crypto/bn/bn_lib.c,
crypto/bn/bn_lcl.h, crypto/rsa/rsa_ossl.c.
- debian/patches/CVE-2022-4304-2.patch: re-add
BN_F_OSSL_BN_RSA_DO_UNBLIND which was incorrectly removed in
include/openssl/bnerr.h.
-- Marc Deslauriers <email address hidden> Wed, 24 May 2023 13:14:51 -0400
-
openssl (1.1.1-1ubuntu2.1~18.04.22) bionic-security; urgency=medium
* SECURITY UPDATE: excessive resource use when verifying policy constraints
- debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
in a policy tree (the default limit is set to 1000 nodes).
- debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
resource overuse.
- debian/patches/CVE-2023-0464-3.patch: disable the policy tree
exponential growth test conditionally.
- CVE-2023-0464
* SECURITY UPDATE: invalid certificate policies ignored in leaf certificates
- debian/patches/CVE-2023-0465-1.patch: ensure that EXFLAG_INVALID_POLICY
is checked even in leaf certs.
- debian/patches/CVE-2023-0465-2.patch: generate some certificates with
the certificatePolicies extension.
- debian/patches/CVE-2023-0465-3.patch: add a certificate policies test.
- CVE-2023-0466
* SECURITY UPDATE: certificate policy check in X509_VERIFY_PARAM_add0_policy
not enabled as documented
- debian/patches/CVE-2023-0466.patch: fix documentation of
X509_VERIFY_PARAM_add0_policy().
- CVE-2023-0466
-- Camila Camargo de Matos <email address hidden> Mon, 17 Apr 2023 15:17:25 -0300
-
openssl (1.1.1-1ubuntu2.1~18.04.21) bionic-security; urgency=medium
* SECURITY UPDATE: Timing Oracle in RSA Decryption
- debian/patches/CVE-2022-4304.patch: fix timing oracle in
crypto/bn/bn_blind.c, crypto/bn/bn_err.c, crypto/bn/bn_lcl.h,
crypto/bn/rsa_sup_mul.c, crypto/err/openssl.txt,
crypto/rsa/rsa_ossl.c, include/openssl/bnerr.h,
crypto/include/internal/bn_int.h, crypto/bn/build.info.
- CVE-2022-4304
* SECURITY UPDATE: Double free after calling PEM_read_bio_ex
- debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header
and data params for PEM_read_bio_ex in crypto/pem/pem_lib.c.
- debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c.
- CVE-2022-4450
* SECURITY UPDATE: Use-after-free following BIO_new_NDEF
- debian/patches/CVE-2023-0215-1.patch: fix a UAF resulting from a bug
in BIO_new_NDEF in crypto/asn1/bio_ndef.c.
- debian/patches/CVE-2023-0215-2.patch: check CMS failure during BIO
setup with -stream is handled correctly in
test/recipes/80-test_cms.t, test/smime-certs/badrsa.pem.
- CVE-2023-0215
* SECURITY UPDATE: X.400 address type confusion in X.509 GeneralName
- debian/patches/CVE-2023-0286.patch: fix GENERAL_NAME_cmp for
x400Address in crypto/x509/v3_genn.c, include/openssl/x509v3.h,
test/v3nametest.c.
- CVE-2023-0286
-- Marc Deslauriers <email address hidden> Mon, 06 Feb 2023 12:57:17 -0500
-
openssl (1.1.1-1ubuntu2.1~18.04.20) bionic-security; urgency=medium
* SECURITY UPDATE: AES OCB fails to encrypt some bytes
- debian/patches/CVE-2022-2097-1.patch: fix AES OCB encrypt/decrypt for
x86 AES-NI in crypto/aes/asm/aesni-x86.pl.
- debian/patches/CVE-2022-2097-2.patch: add AES OCB test vectors in
test/recipes/30-test_evp_data/evpciph.txt.
- CVE-2022-2097
-- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 07:25:51 -0400
-
openssl (1.1.1-1ubuntu2.1~18.04.19) bionic-security; urgency=medium
[ Simon Chopin ]
* d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)
[ Marc Deslauriers ]
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
apply it before c_rehash-compat.patch.
- debian/patches/CVE-2022-2068.patch: fix file operations in
tools/c_rehash.in.
- debian/patches/c_rehash-compat.patch: updated patch to apply after
the security updates.
- CVE-2022-2068
-- Simon Chopin <email address hidden> Tue, 14 Jun 2022 13:37:45 +0200
-
openssl (1.1.1-1ubuntu2.1~18.04.18) bionic; urgency=medium
* Backport pr9780:
- d/p/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch
- d/p/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch
(LP: #1940141)
-- Bruce Elrick <email address hidden> Mon, 09 May 2022 19:38:43 +0000
-
openssl (1.1.1-1ubuntu2.1~18.04.17) bionic-security; urgency=medium
* SECURITY UPDATE: c_rehash script allows command injection
- debian/patches/CVE-2022-1292.patch: do not use shell to invoke
openssl in tools/c_rehash.in.
- CVE-2022-1292
* NOTE: This package does _not_ contain the changes from
1.1.1-1ubuntu2.1~18.04.16 in bionic-proposed.
-- Marc Deslauriers <email address hidden> Tue, 03 May 2022 13:51:42 -0400
-
openssl (1.1.1-1ubuntu2.1~18.04.16) bionic; urgency=medium
* Backport pr9780:
- d/p/pr9780_0002-Teach-TLSProxy-how-to-parse-CertificateRequest-messa.patch
- d/p/pr9780_0001-Don-t-send-a-status_request-extension-in-a-Certifica.patch
(LP: #1940141)
-- Bruce Elrick <email address hidden> Wed, 16 Mar 2022 17:05:32 +0000
-
openssl (1.1.1-1ubuntu2.1~18.04.15) bionic-security; urgency=medium
* SECURITY UPDATE: Infinite loop in BN_mod_sqrt()
- debian/patches/CVE-2022-0778-1.patch: fix infinite loop in
crypto/bn/bn_sqrt.c.
- debian/patches/CVE-2022-0778-2.patch: add documentation of
BN_mod_sqrt() in doc/man3/BN_add.pod.
- debian/patches/CVE-2022-0778-3.patch: add a negative testcase for
BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt.
- CVE-2022-0778
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2022 07:13:40 -0500
-
openssl (1.1.1-1ubuntu2.1~18.04.14) bionic; urgency=medium
* Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943)
-- Julian Andres Klode <email address hidden> Wed, 24 Nov 2021 14:50:16 +0100
-
openssl (1.1.1-1ubuntu2.1~18.04.13) bionic-security; urgency=medium
* SECURITY UPDATE: SM2 Decryption Buffer Overflow
- debian/patches/CVE-2021-3711-1.patch: correctly calculate the length
of SM2 plaintext given the ciphertext in crypto/sm2/sm2_crypt.c,
crypto/sm2/sm2_pmeth.c, crypto/include/internal/sm2.h,
test/sm2_internal_test.c.
- debian/patches/CVE-2021-3711-2.patch: extend tests for SM2 decryption
in test/recipes/30-test_evp_data/evppkey.txt.
- debian/patches/CVE-2021-3711-3.patch: check the plaintext buffer is
large enough when decrypting SM2 in crypto/sm2/sm2_crypt.c.
- CVE-2021-3711
* SECURITY UPDATE: Read buffer overrun in X509_aux_print()
- debian/patches/CVE-2021-3712.patch: fix a read buffer overrun in
X509_aux_print() in crypto/x509/t_x509.c.
- debian/patches/CVE-2021-3712-2.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_alt.c,
crypto/x509v3/v3_utl.c, crypto/include/internal/x509_int.h.
- debian/patches/CVE-2021-3712-3.patch: fix POLICYINFO printing to not
assume NUL terminated strings in crypto/x509v3/v3_cpols.c.
- debian/patches/CVE-2021-3712-4.patch: fix printing of
PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings in
crypto/x509v3/v3_pci.c.
- debian/patches/CVE-2021-3712-5.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-6.patch: fix test code to not assume NUL
terminated strings in test/x509_time_test.c.
- debian/patches/CVE-2021-3712-7.patch: fix append_ia5 function to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- debian/patches/CVE-2021-3712-8.patch: fix NETSCAPE_SPKI_print
function to not assume NUL terminated strings in
crypto/asn1/t_spki.c.
- debian/patches/CVE-2021-3712-9.patch: fix
EC_GROUP_new_from_ecparameters to check the base length in
crypto/ec/ec_asn1.c.
- debian/patches/CVE-2021-3712-10.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-11.patch: fix the error handling in
i2v_AUTHORITY_KEYID in crypto/x509v3/v3_akey.c.
- debian/patches/CVE-2021-3712-12.patch: allow fuzz builds to detect
string overruns in crypto/asn1/asn1_lib.c.
- debian/patches/CVE-2021-3712-13.patch: fix the name constraints code
to not assume NUL terminated strings in crypto/x509v3/v3_ncons.c.
- debian/patches/CVE-2021-3712-14.patch: fix i2v_GENERAL_NAME to not
assume NUL terminated strings in crypto/x509v3/v3_utl.c.
- CVE-2021-3712
-- Marc Deslauriers <email address hidden> Mon, 23 Aug 2021 13:02:39 -0400
-
openssl (1.1.1-1ubuntu2.1~18.04.10) bionic; urgency=medium
* Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994)
-- Simon Chopin <email address hidden> Fri, 23 Jul 2021 14:32:42 +0200
-
openssl (1.1.1-1ubuntu2.1~18.04.9) bionic-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:42:42 -0400
-
openssl (1.1.1-1ubuntu2.1~18.04.8) bionic-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840-pre1.patch: add a new EVP error code in
crypto/err/openssl.txt, crypto/evp/evp_err.c,
include/openssl/evperr.h.
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/err/openssl.txt,
crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:35:54 -0500
-
openssl (1.1.1-1ubuntu2.1~18.04.7) bionic-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:54:45 -0500
-
openssl (1.1.1-1ubuntu2.1~18.04.6) bionic-security; urgency=medium
* SECURITY UPDATE: ECDSA remote timing attack
- debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or
zero cofactor, compute it in crypto/ec/ec_lib.c.
- CVE-2019-1547
* SECURITY UPDATE: Fork Protection
- debian/patches/CVE-2019-1549.patch: ensure fork-safety without using
a pthread_atfork handler in crypto/include/internal/rand_int.h,
crypto/init.c, crypto/rand/drbg_lib.c, crypto/rand/rand_lcl.h,
crypto/rand/rand_lib.c, crypto/threads_none.c,
crypto/threads_pthread.c, crypto/threads_win.c,
include/internal/cryptlib.h, test/drbgtest.c.
- CVE-2019-1549
* SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64
- debian/patches/CVE-2019-1551.patch: fix an overflow bug in
rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl.
- CVE-2019-1551
* SECURITY UPDATE: Padding Oracle issue
- debian/patches/CVE-2019-1563.patch: fix a padding oracle in
PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c,
crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c,
crypto/pkcs7/pk7_doit.c.
- CVE-2019-1563
-- Marc Deslauriers <email address hidden> Wed, 27 May 2020 15:15:54 -0400
-
openssl (1.1.1-1ubuntu2.1~18.04.5) bionic-security; urgency=medium
* debian/patches/OPENSSL_malloc_init_hang.patch: make
OPENSSL_malloc_init() a no-op to remove a potential infinite loop that
can occur in some situations, such as with MySQL 5.7 on s390x.
-- Marc Deslauriers <email address hidden> Tue, 12 Nov 2019 11:58:35 -0500
-
openssl (1.1.1-1ubuntu2.1~18.04.4) bionic; urgency=medium
* Import libraries/restart-without-asking as used in postinst, to
prevent failure to configure the package without debconf database.
LP: #1832919
-- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:36:28 +0100
-
openssl (1.1.1-1ubuntu2.1~18.04.3) bionic; urgency=medium
* Fix path to Xorg for reboot notifications on desktop. LP: #1832421
* Cherrypick upstream fix to allow succesful init of libssl and
libcrypto using separate calls with different options. LP: #1832659
-- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:50:28 +0100
-
openssl (1.1.1-1ubuntu2.1~18.04.2) bionic; urgency=medium
* Cherrypick upstream patch to fix ca -spkac output to be text again.
LP: #1828215
* Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
CVE-2019-1543
* Bump major version of OpenSSL in postinst to trigger services restart
upon upgrade. Many services listed there must be restarted when
upgrading 1.1.0 to 1.1.1. LP: #1832522
-- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:12:47 +0100
-
openssl (1.1.1-1ubuntu2.1~18.04.1) bionic; urgency=medium
* Backport OpenSSL 1.1.1 to 18.04 LTS. LP: #1797386
* Adjust Breaks on versions published in bionic-release.
openssl (1.1.1-1ubuntu2.1) cosmic-security; urgency=medium
* SECURITY UPDATE: timing side channel attack in DSA
- debian/patches/CVE-2018-0734-1.patch: fix mod inverse in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-2.patch: fix timing vulnerability in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
crypto/dsa/dsa_ossl.c.
- CVE-2018-0734
* SECURITY UPDATE: timing side channel attack in ECDSA
- debian/patches/CVE-2018-0735.patch: fix timing vulberability in
crypto/ec/ec_mult.c.
- CVE-2018-0735
openssl (1.1.1-1ubuntu2) cosmic; urgency=medium
* Fixup typpos in the autopkgtest binary name.
openssl (1.1.1-1ubuntu1) cosmic; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
openssl 1.0.2.
openssl (1.1.1-1) unstable; urgency=medium
* New upstream version.
- Update symbol file for 1.1.1
- CVE-2018-0732 (actually since pre8).
* Add Breaks on python-httplib2 (Addresses: #907015)
* Add hardening=+all.
* Update to policy 4.2.1
- Less verbose testsuite with terse
- Use RRR=no
openssl (1.1.1~~pre9-1) unstable; urgency=medium
* New upstream version.
- Support the final TLS 1.3 version (RFC 8446)
* Upload to unstable
openssl (1.1.1~~pre8-1) experimental; urgency=medium
* New upstream version.
openssl (1.1.1~~pre7-1) experimental; urgency=medium
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix debian-rules-sets-dpkg-architecture-variable.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Add a 25-test_verify.t for autopkgtest which runs against intalled
openssl binary.
* Fix CVE-2018-0737 (Closes: #895844).
openssl (1.1.1~~pre6-2) experimental; urgency=medium
* Update libssl1.1.symbols
openssl (1.1.1~~pre6-1) experimental; urgency=medium
* New upstream version
* Increase default security level from 1 to 2. This moves from the 80 bit
security level to the 112 bit securit level and will require 2048 bit RSA
and DHE keys.
openssl (1.1.1~~pre4-1) experimental; urgency=medium
* Update to 1.1.1-pre4 (Closes: #892276, #894282).
* Add riscv64 target (Closes: #891797).
openssl (1.1.1~~pre3-1) experimental; urgency=medium
* Update to 1.1.1-pre3
* Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
* Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
* Enable system default config to enforce TLS1.2 as a minimum.
openssl (1.1.1~~pre2-1) experimental; urgency=medium
* Update to 1.1.1-pre2
openssl (1.1.1~~pre1-1) experimental; urgency=medium
* Abort the build if symbols are discovered which are not part of the
symbols file.
* Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
* Enable afalgeng on Linux targets (Closes: #888305)
* Update 1.1.1-pre1.
-- Dimitri John Ledkov <email address hidden> Thu, 13 Dec 2018 14:02:15 +1100
-
openssl (1.1.0g-2ubuntu4.3) bionic-security; urgency=medium
* SECURITY UPDATE: PortSmash side channel attack
- debian/patches/CVE-2018-5407-*.patch: add large number of upstream
commits to resolve this issue.
- CVE-2018-5407
* SECURITY UPDATE: timing side channel attack in DSA
- debian/patches/CVE-2018-0734-1.patch: fix mod inverse in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-2.patch: fix timing vulnerability in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
crypto/dsa/dsa_ossl.c.
- CVE-2018-0734
* SECURITY UPDATE: timing side channel attack in ECDSA
- debian/patches/CVE-2018-0735-1.patch: fix timing vulberability in
crypto/ec/ec_mult.c.
- debian/patches/CVE-2018-0735-2.patch: remove brace from bad
cherry-pick in crypto/ec/ec_mult.c.
- CVE-2018-0735
-- Marc Deslauriers <email address hidden> Wed, 05 Dec 2018 10:59:52 -0500
-
openssl (1.1.0g-2ubuntu4.1) bionic-security; urgency=medium
* SECURITY UPDATE: ECDSA key extraction side channel
- debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA
signature in crypto/ec/ecdsa_ossl.c.
- CVE-2018-0495
* SECURITY UPDATE: denial of service via long prime values
- debian/patches/CVE-2018-0732.patch: reject excessively large primes
in DH key generation in crypto/dh/dh_key.c.
- CVE-2018-0732
* SECURITY UPDATE: RSA cache timing side channel attack
- debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-3.patch: consttime flag changed in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and
BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in
crypto/rsa/rsa_gen.c.
- CVE-2018-0737
-- Marc Deslauriers <email address hidden> Wed, 20 Jun 2018 07:29:12 -0400
-
openssl (1.1.0g-2ubuntu4) bionic; urgency=medium
* debian/patches/rehash-pass-on-dupes.patch: Don't return 1 when a duplicate
certificate is found. (LP: #1764848)
-- Brian Murray <email address hidden> Wed, 25 Apr 2018 10:03:48 -0700
-
openssl (1.1.0g-2ubuntu3) bionic; urgency=medium
* SECURITY UPDATE: overflow bug in AVX2 Montgomery multiplication
- debian/patches/CVE-2017-3738.patch: fix digit correction bug in
crypto/bn/asm/rsaz-avx2.pl.
- CVE-2017-3738
* SECURITY UPDATE: DoS via ASN.1 types with a recursive definition
- debian/patches/CVE-2018-0739.patch: limit stack depth in
crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c,
include/openssl/asn1.h.
- CVE-2018-0739
-- Marc Deslauriers <email address hidden> Tue, 27 Mar 2018 13:45:15 -0400
-
openssl (1.1.0g-2ubuntu2) bionic; urgency=medium
* s390x: Add support for CPACF enhancements to openssl, for IBM z14. LP:
#1743750
-- Dimitri John Ledkov <email address hidden> Tue, 27 Feb 2018 13:01:19 +0000
-
openssl (1.1.0g-2ubuntu1) bionic; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
openssl (1.1.0g-2) unstable; urgency=high
* Avoid problems with aes assembler on armhf using binutils 2.29
openssl (1.1.0g-1) unstable; urgency=medium
* New upstream version
- Fixes CVE-2017-3735
- Fixes CVE-2017-3736
* Remove patches applied upstream
* Temporary enable TLS 1.0 and 1.1 again (#875423)
* Attempt to fix testsuite race condition
* update no-symbolic.patch to apply
openssl (1.1.0f-5) unstable; urgency=medium
* Instead of completly disabling TLS 1.0 and 1.1, just set the minimum
version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by
calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version().
openssl (1.1.0f-4) unstable; urgency=medium
[ Sebastian Andrzej Siewior ]
* Add support for arm64ilp32, patch by Wookey (Closes: #867240)
[ Kurt Roeckx ]
* Disable TLS 1.0 and 1.1, leaving 1.2 as the only supported SSL/TLS
version. This will likely break things, but the hope is that by
the release of Buster everything will speak at least TLS 1.2. This will be
reconsidered before the Buster release.
* Fix a race condition in the test suite (Closes: #869856)
openssl (1.1.0f-3) unstable; urgency=medium
* Don't cleanup a thread-local key we didn't create it (Closes: #863707)
openssl (1.1.0f-2) unstable; urgency=medium
* Make the udeb use a versioned depends (Closes: #864080)
* Conflict with libssl1.0-dev (Closes: #863367)
openssl (1.1.0f-1) unstable; urgency=medium
* New upstream version
- Fix regression in req -x509 (Closes: #839575)
- Properly detect features on the AMD Ryzen processor (Closes: #861145)
- Don't mention -tls1_3 in the manpage (Closes: #859191)
* Update libssl1.1.symbols for new symbols
* Update man-section.patch
openssl (1.1.0e-2) unstable; urgency=medium
* Make openssl depend on perl-base (Closes: #860254)
openssl (1.1.0e-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2017-3733
- Remove patches that are applied upstream.
openssl (1.1.0d-2) unstable; urgency=medium
* Fix building of arch and all packages in a minimal environment
(Closes: #852900).
* Fix precomputing SHA1 by adding the following patches from upstream:
- Add-a-couple-of-test-to-check-CRL-fingerprint.patch
- Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
- X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
(Closes: #852920).
openssl (1.1.0d-1) unstable; urgency=medium
* New Upstream release
- Fixes CVE-2017-3731
- Fixes CVE-2017-3730
- Fixes CVE-2017-3732
- drop revert_ssl_read.patch and
0001-Add-missing-zdelete-for-some-linux-arches.patch, applied upstream.
* add new symbols.
openssl (1.1.0c-4) unstable; urgency=medium
* Make build-indep build again.
* Don't depend on perl:any in openssl as it breaks debootstrap
("Closes: #852017).
openssl (1.1.0c-3) unstable; urgency=medium
* Add myself as Uploader.
* Add support for tilegx, patch by Helmut Grohne (Closes: #848957).
* redo the rules file to some newer debhelper:
- everyfile should remain, nothing should get lost
- the scripts in the doc package gained an exec bit
- openssl gained a dep on perl (the package contains perl scripts)
- libssl1.0.2-dbg is gone, we have dbgsym now
- dh compat 10
- pkg.install instead of pkg.files is used for install
* Mark libssl-doc as MA foreign
* Update Standards-Version from 3.9.5 to 3.9.8. No changes required.
* Document the change for openssl's enc command between 1.1.0 and pre 1.1.0
in the NEWS file (Closes: #843064).
* Add an override for lintian for the non-standard private directory
openssl (1.1.0c-2) unstable; urgency=medium
* Revert behaviour of SSL_read() and SSL_write(), and update documentation.
(Closes: #844234)
* Add missing -zdelete on x32 (Closes: #844715)
* Add a Breaks on salt-common. Addresses #844706
openssl (1.1.0c-1) unstable; urgency=medium
* New upstrem release
- Fix CVE-2016-7053
- Fix CVE-2016-7054
- Fix CVE-2016-7055
* remove no-rpath.patch, applied upstream.
* Remove old d2i test cases, use the one from the upstream tarball.
* Update libssl1.1.symbols for new sysmbols.
openssl (1.1.0b-2) unstable; urgency=low
* Upload to unstable
openssl (1.1.0b-1) experimental; urgency=medium
* New upstream release
- Fixes CVE-2016-6309
openssl (1.1.0a-1) experimental; urgency=medium
* New upstream release
- Fix CVE-2016-6304
- Fix CVE-2016-6305
- Fix CVE-2016-6307
- Fix CVE-2016-6308
* Update c_rehash-compat.patch to apply to new version.
* Update symbol file.
openssl (1.1.0-1) experimental; urgency=medium
[ Kurt Roeckx ]
* New upstream version
* Use Package-Type instead of XC-Package-Type
* Remove "Priority: optional" in the binary packages.
* Add Homepage
* Use dpkg-buildflags's LDFLAGS also for building the shared libraries.
[ Sebastian Andrzej Siewior ]
* drop config-hurd.patch, we don't use `config' and it works without the
patch.
* Drop depend on zlib1g-dev since we don't use it anymore (Closes: #767207)
* Make the openssl package Multi-Arch: foregin (Closes: #827028)
openssl (1.1.0~pre6-1) experimental; urgency=medium
[ Sebastian Andrzej Siewior ]
* drop engines-path.patch. Upstream uses a 1.1 suffixes now.
[ Kurt Roeckx ]
* New upstream version
* Drop upstream snapshot
* Update symbols file
* Use some https instead of http URLs
openssl (1.1.0~pre5-5) experimental; urgency=medium
* Update snapshot to commit fe964f0c88f6780fd30b26e306484b981b0a8480
openssl (1.1.0~pre5-4) experimental; urgency=medium
* Update snapshot to commit c32bdbf171ce6650ef045ec47b5abe0de7c264db
* Remove utils-mkdir-p-check-if-dir-exists-also-after-mkdir-f.patch, applied
upstream
openssl (1.1.0~pre5-3) experimental; urgency=medium
[ Kurt Roeckx ]
* Don't use assembler on hppa, it's not writen for Linux.
openssl (1.1.0~pre5-2) experimental; urgency=medium
[ Sebastian Andrzej Siewior ]
* Run the testsuite with verbose output.
* Use $(MAKE) so the whole make environment is passed to its child and we
can build in parallel with -jX
* Update snapshot to commit 5000a6d1215e ("Fix an error path leak in int
X509_ATTRIBUTE_set1_data()")
openssl (1.1.0~pre5-1) experimental; urgency=medium
* New upstream version with soname change. Upload to experimental.
- Rename binary packages
- Remove patches:
- block_diginotar.patch: All cross certificates expired in 2013
- block_digicert_malaysia.patch: intermediate certificates expired in
2015
- man-dir.patch: Fixed upstream
- valgrind.patch: Upstream no longer adds the uninitialized data to the
RNG
- shared-lib-ext.patch: No longer needed
- version-script.patch: Upstream does symbol versioning itself now
- disable_freelist.patch: No longer needed
- soname.patch: Was to change to the 1.0.2 soname that upstream never had
- disable_sslv3_test.patch: Fixed upstream
- libdoc-manpgs-pod-spell.patch: Fixed upstream (Closes: #813191)
- Rewrite debian-targets.patch to work with the new configuration system.
- Update other patches to apply
- Update list of install docs
- Use DESTDIR instead of INSTALL_PREFIX
- Clean up more files
- Remove the configure option enable-tlsext no-ssl2 since they're no
longer supported.
* Add upstream snapshot:
- Add d2i-tests.tar to get new binary test files.
* Don't build i686 optimized version anymore on i386, it's now the default.
(Closes: #823774)
-- Dimitri John Ledkov <email address hidden> Mon, 05 Feb 2018 13:16:42 +0000
-
openssl (1.0.2n-1ubuntu1) bionic; urgency=medium
* Merge with Debian, remaining changes.
- Use openssl source package name, instead of openssl1.0.
- Make libssl-dev a metapackage pointing at libssl1.0-dev package.
- Ship openssl package.
- Disable SSLv3 without changing ABI:
+ debian/patches/no-sslv3.patch: Disable SSLv3 without using the
no-ssl3-method option
+ debian/rules: don't use no-ssl3-method, don't bump soname
+ debian/patches/engines-path.patch: don't bump soname
+ debian/patches/version-script.patch: don't bump soname
+ debian/patches/soname.patch: removed
+ debian/lib*: don't bump soname
- debian/rules: don't enable rfc3779 and cms support for now as it
changes ABI.
- debian/libssl1.0.0.postinst:
+ Display a system restart required notification on libssl1.0.0
upgrade on servers.
+ Use a different priority for libssl1.0.0/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
rules}: Move runtime libraries to /lib, for the benefit of
wpasupplicant.
- debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
.pc.
- debian/rules:
+ Don't run 'make test' when cross-building.
+ Use host compiler when cross-building. Patch from Neil Williams.
+ Fix Makefile to properly clean up libs/ dirs in clean target.
+ Replace duplicate files in the doc directory with symlinks.
- debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-*
- Enable asm optimisations on s390x. LP: #1602655.
* Changes applied in Debian:
- debian/rules: Enable optimized 64bit elliptic curve code contributed
by Google.
- debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
libssl1.0.0-udeb, for the benefit of wget-udeb. Same has been applied
in Debian.
* Dropped patches, part of new upstream release:
- CVE-2016-2105.patch
- CVE-2016-2106.patch
- CVE-2016-2107.patch
- CVE-2016-2108.patch
- CVE-2016-2109.patch
- 0b48a24ce993d1a4409d7bde26295f6df0d173cb.patch
- CVE-2016-2177.patch
- CVE-2016-2178-1.patch
- CVE-2016-2178-2.patch
- CVE-2016-2179.patch
- CVE-2016-2180.patch
- CVE-2016-2181-1.patch
- CVE-2016-2181-2.patch
- CVE-2016-2181-3.patch
- CVE-2016-2182.patch
- CVE-2016-2183.patch
- CVE-2016-6302.patch
- CVE-2016-6303.patch
- CVE-2016-6304.patch
- CVE-2016-6306-1.patch
- CVE-2016-6306-2.patch
- CVE-2016-2182-2.patch
- CVE-2016-7055.patch
- CVE-2016-8610.patch
- CVE-2016-8610-2.patch
- CVE-2017-3731.patch
- CVE-2017-3732.patch
- move-extended-feature-detection.patch
- fix-sha-ni.patch
- CVE-2017-3735.patch
- CVE-2017-3736.patch
- fix_armhf_ftbfs.patch
- CVE-2017-3737-pre.patch
- CVE-2017-3737-1.patch
- CVE-2017-3737-2.patch
- CVE-2017-3738.patch
openssl1.0 (1.0.2n-1) unstable; urgency=medium
* New upstream version 1.0.2n
- drop patches which applied upstream:
- 0001-Fix-no-ssl3-build.patch
- 0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
- Fixes CVE-2017-3737 (Read/write after SSL object in error state)
- Fixes CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
* move to gbp
* Abort the build if symbols are discovered which are not part of the
symbols file.
openssl1.0 (1.0.2m-3) unstable; urgency=medium
* Avoid problems with aes and sha256 assembler on armhf using binutils 2.29
openssl1.0 (1.0.2m-2) unstable; urgency=medium
* Fix no-ssl3-method build
openssl1.0 (1.0.2m-1) unstable; urgency=high
[ Kurt Roeckx ]
* New upstream version
- Fixes CVE-2017-3735
- Fixes CVE-2017-3736
[ Sebastian Andrzej Siewior]
* Add support for arm64ilp32, Patch by Wookey (Closes: #874709).
openssl1.0 (1.0.2l-2) unstable; urgency=medium
* Make the udeb use a versioned depends (Closes: #864081)
openssl1.0 (1.0.2l-1) unstable; urgency=medium
* New upstream release
- Properly detect features on the AMD Ryzen processor (Closes: #861145)
* Refresh valgrind.patch
openssl1.0 (1.0.2k-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2017-3731
- Fixes CVE-2017-3732
- Fixes CVE-2016-7055
openssl1.0 (1.0.2j-5) unstable; urgency=medium
* Add myself as Uploader.
* Drop zlib1g-dev from libssl1.0-dev's deps (Closes: #845945).
* Mark RC4 and 3DES as weak which removes them from the SSL/TLS protocol
(Closes: #736687).
* Update Standards-Version, no change required.
* Drop asm support for X32 because the testsuite segfaults.
* Limit the watchfile to the 1.0.2x series.
* Redo rules file to newer debhelper syntax
* Add homepage filed
* Remove recommends for libssl-doc because the doc package from 1.1.0 is not
really matching the -dev package from 1.0.2
openssl1.0 (1.0.2j-4) unstable; urgency=medium
* Re-add udebs
openssl1.0 (1.0.2j-3) unstable; urgency=medium
* Upload to unstable
openssl1.0 (1.0.2j-2) experimental; urgency=medium
* Provide an 1.0.2 version of the library for Stretch.
openssl (1.0.2j-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2016-7052
openssl (1.0.2i-1) unstable; urgency=high
* New upstream version
- Fix CVE-2016-2177
- Fix CVE-2016-2178
- Fix CVE-2016-2179
- Fix CVE-2016-2180
- Fix CVE-2016-2181
- Fix CVE-2016-2182
- Fix CVE-2016-2183
- Fix CVE-2016-6302
- Fix CVE-2016-6303
- Fix CVE-2016-6304
- Fix CVE-2016-6306
* Drop ca.patch, option is now documented upstream
* Update engines-path.patch to also update the libcrypto.pc, now that that
has an enginesdir in it.
openssl (1.0.2h-2) unstable; urgency=medium
* Re-add libdoc-manpgs-pod-spell.patch to series files (Closes: #813191)
* Don't build i686 optimized version anymore on i386, it's now the default.
(Closes: #823774)
openssl (1.0.2h-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2016-2107
- Fixes CVE-2016-2105
- Fixes CVE-2016-2106
- Fixes CVE-2016-2109
- Fixes CVE-2016-2176
openssl (1.0.2g-2) unstable; urgency=medium
* Use assembler of arm64 (Closes: #794326)
Patch from Riku Voipio <email address hidden>
* Add a udeb for libssl, based on similar changes done in Ubuntu
starting in version 0.9.8o-4ubuntu1 (Closes: #802591)
Patch from Margarita Manterola <email address hidden>
* Add support for nios2 (Closes: #816239)
Based on patch from Marek Vasut <email address hidden>
* Update Spanish translation from Manuel "Venturi" Porras Peralta
<email address hidden> (Closes: #773601)
* Don't build an i586 optimized version anymore, the default
already targets that. Patch from Sven Joachim <email address hidden>
(Closes: #759811)
-- Dimitri John Ledkov <email address hidden> Mon, 15 Jan 2018 13:10:21 +0000
-
openssl (1.0.2g-1ubuntu15) bionic; urgency=medium
* SECURITY UPDATE: Read/write after SSL object in error state
- debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*,
add to test/Makefile.
- debian/patches/CVE-2017-3737-1.patch: don't allow read/write after
fatal error in ssl/ssl.h.
- debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile,
ssl/fatalerrtest.c, test/Makefile.
- CVE-2017-3737
* SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64
- debian/patches/CVE-2017-3738.patch: fix digit correction bug in
crypto/bn/asm/rsaz-avx2.pl.
- CVE-2017-3738
-- Marc Deslauriers <email address hidden> Thu, 07 Dec 2017 13:13:10 -0500
-
openssl (1.0.2g-1ubuntu14) bionic; urgency=medium
* SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
- debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
crypto/x509v3/v3_addr.c.
- CVE-2017-3735
* SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64
- debian/patches/CVE-2017-3736.patch: fix carry bug in
bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl.
- CVE-2017-3736
* debian/patches/fix_armhf_ftbfs.patch: fix build with gcc-7.2 on armhf.
(LP: #1729850)
-- Marc Deslauriers <email address hidden> Mon, 06 Nov 2017 07:56:00 -0500
-
openssl (1.0.2g-1ubuntu13) artful; urgency=medium
* aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
(LP: #1674399)
-- William Grant <email address hidden> Fri, 19 May 2017 18:31:50 +1000
