-
openssl (1.1.1-1ubuntu2.5) cosmic; urgency=medium
* Import libraries/restart-without-asking as used in postinst, to
prevent failure to configure the package without debconf database.
LP: #1832919
-- Dimitri John Ledkov <email address hidden> Thu, 20 Jun 2019 18:34:53 +0100
-
openssl (1.1.1-1ubuntu2.4) cosmic; urgency=medium
* Bump major version of OpenSSL in postinst to trigger services restart
upon upgrade. Many services listed there must be restarted when
upgrading 1.1.0 to 1.1.1. LP: #1832522
* Fix path to Xorg for reboot notifications on desktop. LP: #1832421
* Cherrypick upstream fix to allow succesful init of libssl and
libcrypto using separate calls with different options. LP: #1832659
-- Dimitri John Ledkov <email address hidden> Fri, 14 Jun 2019 13:27:38 +0100
-
openssl (1.1.1-1ubuntu2.3) cosmic; urgency=medium
* Cherrypick upstream patch to fix ca -spkac output to be text again.
LP: #1828215
* Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
CVE-2019-1543
-- Dimitri John Ledkov <email address hidden> Wed, 12 Jun 2019 00:09:23 +0100
-
openssl (1.1.1-1ubuntu2.2) cosmic; urgency=medium
* debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use
OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898
* Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch
to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984
-- Dimitri John Ledkov <email address hidden> Wed, 03 Apr 2019 20:37:01 +0100
-
openssl (1.1.1-1ubuntu2.1) cosmic-security; urgency=medium
* SECURITY UPDATE: timing side channel attack in DSA
- debian/patches/CVE-2018-0734-1.patch: fix mod inverse in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-2.patch: fix timing vulnerability in
crypto/dsa/dsa_ossl.c.
- debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
crypto/dsa/dsa_ossl.c.
- CVE-2018-0734
* SECURITY UPDATE: timing side channel attack in ECDSA
- debian/patches/CVE-2018-0735.patch: fix timing vulberability in
crypto/ec/ec_mult.c.
- CVE-2018-0735
-- Marc Deslauriers <email address hidden> Tue, 04 Dec 2018 08:15:09 -0500
-
openssl (1.1.1-1ubuntu2) cosmic; urgency=medium
* Fixup typpos in the autopkgtest binary name.
openssl (1.1.1-1ubuntu1) cosmic; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
openssl 1.0.2.
openssl (1.1.1-1) unstable; urgency=medium
* New upstream version.
- Update symbol file for 1.1.1
- CVE-2018-0732 (actually since pre8).
* Add Breaks on python-httplib2 (Addresses: #907015)
* Add hardening=+all.
* Update to policy 4.2.1
- Less verbose testsuite with terse
- Use RRR=no
openssl (1.1.1~~pre9-1) unstable; urgency=medium
* New upstream version.
- Support the final TLS 1.3 version (RFC 8446)
* Upload to unstable
openssl (1.1.1~~pre8-1) experimental; urgency=medium
* New upstream version.
openssl (1.1.1~~pre7-1) experimental; urgency=medium
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix debian-rules-sets-dpkg-architecture-variable.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Add a 25-test_verify.t for autopkgtest which runs against intalled
openssl binary.
* Fix CVE-2018-0737 (Closes: #895844).
openssl (1.1.1~~pre6-2) experimental; urgency=medium
* Update libssl1.1.symbols
openssl (1.1.1~~pre6-1) experimental; urgency=medium
* New upstream version
* Increase default security level from 1 to 2. This moves from the 80 bit
security level to the 112 bit securit level and will require 2048 bit RSA
and DHE keys.
openssl (1.1.1~~pre4-1) experimental; urgency=medium
* Update to 1.1.1-pre4 (Closes: #892276, #894282).
* Add riscv64 target (Closes: #891797).
openssl (1.1.1~~pre3-1) experimental; urgency=medium
* Update to 1.1.1-pre3
* Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
* Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
* Enable system default config to enforce TLS1.2 as a minimum.
openssl (1.1.1~~pre2-1) experimental; urgency=medium
* Update to 1.1.1-pre2
openssl (1.1.1~~pre1-1) experimental; urgency=medium
* Abort the build if symbols are discovered which are not part of the
symbols file.
* Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
* Enable afalgeng on Linux targets (Closes: #888305)
* Update 1.1.1-pre1.
-- Dimitri John Ledkov <email address hidden> Tue, 25 Sep 2018 15:41:07 +0100
-
openssl (1.1.1-1ubuntu1) cosmic; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
openssl 1.0.2.
openssl (1.1.1-1) unstable; urgency=medium
* New upstream version.
- Update symbol file for 1.1.1
- CVE-2018-0732 (actually since pre8).
* Add Breaks on python-httplib2 (Addresses: #907015)
* Add hardening=+all.
* Update to policy 4.2.1
- Less verbose testsuite with terse
- Use RRR=no
openssl (1.1.1~~pre9-1) unstable; urgency=medium
* New upstream version.
- Support the final TLS 1.3 version (RFC 8446)
* Upload to unstable
openssl (1.1.1~~pre8-1) experimental; urgency=medium
* New upstream version.
openssl (1.1.1~~pre7-1) experimental; urgency=medium
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix debian-rules-sets-dpkg-architecture-variable.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Add a 25-test_verify.t for autopkgtest which runs against intalled
openssl binary.
* Fix CVE-2018-0737 (Closes: #895844).
openssl (1.1.1~~pre6-2) experimental; urgency=medium
* Update libssl1.1.symbols
openssl (1.1.1~~pre6-1) experimental; urgency=medium
* New upstream version
* Increase default security level from 1 to 2. This moves from the 80 bit
security level to the 112 bit securit level and will require 2048 bit RSA
and DHE keys.
openssl (1.1.1~~pre4-1) experimental; urgency=medium
* Update to 1.1.1-pre4 (Closes: #892276, #894282).
* Add riscv64 target (Closes: #891797).
openssl (1.1.1~~pre3-1) experimental; urgency=medium
* Update to 1.1.1-pre3
* Don't suggest 1024 bit RSA key to be typical (Closes: #878303).
* Don't insist on TLS1.3 cipher for <TLS1.3 connections (Closes: #891570).
* Enable system default config to enforce TLS1.2 as a minimum.
openssl (1.1.1~~pre2-1) experimental; urgency=medium
* Update to 1.1.1-pre2
openssl (1.1.1~~pre1-1) experimental; urgency=medium
* Abort the build if symbols are discovered which are not part of the
symbols file.
* Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
* Enable afalgeng on Linux targets (Closes: #888305)
* Update 1.1.1-pre1.
-- Dimitri John Ledkov <email address hidden> Mon, 17 Sep 2018 13:24:38 +0100
-
openssl (1.1.0h-4ubuntu1) cosmic; urgency=medium
* Merge from Debian unstable, remaining changes:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- s390x: Add support for CPACF enhancements to openssl, for IBM z14.
- grab fixes for CVE-2018-0495 and CVE-2018-0732
openssl (1.1.0h-4) unstable; urgency=medium
* Build the binary in indep mode again, so we can install the documentation
again.
* Drop @echo in flavour so it builds again on Alpha
* Add a 25-test_verify.t for autopkgtest which runs against intalled
openssl binary.
openssl (1.1.0h-3) unstable; urgency=medium
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix regression with session cache use by clients (See: #895035).
* openssl rehash: exit 0 on warnings, same as c_rehash (See: #895473 and
#895482).
* Fix debian-rules-sets-dpkg-architecture-variable.
* Let VCS-* point to salsa.d.o.
* Don't build the binary package in binary-indep mode.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Fix CVE-2018-0737 (Closes: #895844).
openssl (1.1.0h-2) unstable; urgency=high
* Revert "only quote stuff that actually needs quoting" so c_rehash has the
quotes again (Closes: #894282).
openssl (1.1.0h-1) unstable; urgency=medium
* Abort the build if symbols are discovered which are not part of the
symbols file.
* Add config support for MIPS R6, patch by YunQiang Su (Closes: #882007).
* Enable afalgeng on Linux targets (Closes: #888305)
* Add riscv64 target (Closes: #891797).
* New upstream release 1.1.0h
- Drop applied patches:
aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-binut.patch
- Update symbols file.
- Fix CVE-2017-3738 (rsaz_1024_mul_avx2 overflow bug on x86_64)
- Fix CVE-2018-0733 (Incorrect CRYPTO_memcmp on HP-UX PA-RISC)
- Fix CVE-2018-0739 (Constructed ASN.1 types with a recursive definition
could exceed the stack)
* Correct lhash typo in header file (Closes: #892276).
-- Gianfranco Costamagna <email address hidden> Sun, 26 Aug 2018 19:31:06 +0200
-
openssl (1.1.0g-2ubuntu5) cosmic; urgency=medium
* SECURITY UPDATE: ECDSA key extraction side channel
- debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA
signature in crypto/ec/ecdsa_ossl.c.
- CVE-2018-0495
* SECURITY UPDATE: denial of service via long prime values
- debian/patches/CVE-2018-0732.patch: reject excessively large primes
in DH key generation in crypto/dh/dh_key.c.
- CVE-2018-0732
* SECURITY UPDATE: RSA cache timing side channel attack
- debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-3.patch: consttime flag changed in
crypto/rsa/rsa_gen.c.
- debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and
BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in
crypto/rsa/rsa_gen.c.
- CVE-2018-0737
-- Marc Deslauriers <email address hidden> Wed, 20 Jun 2018 07:13:37 -0400
-
openssl (1.1.0g-2ubuntu4) bionic; urgency=medium
* debian/patches/rehash-pass-on-dupes.patch: Don't return 1 when a duplicate
certificate is found. (LP: #1764848)
-- Brian Murray <email address hidden> Wed, 25 Apr 2018 10:03:48 -0700
