-
openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium
* Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
to validate, as it is common on self-signed leaf certificates.
(LP: #1926254)
- d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch
- d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch
- d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch
* Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
error when attempting to build a source package, due to pr12272.patch
patching files multiple times within the same patch. (LP: #1927161)
- d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
- d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
- d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
- d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
- d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch
-- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:13:30 +1200
-
openssl (1.1.1f-1ubuntu4.3) groovy-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 07:33:17 -0400
-
openssl (1.1.1f-1ubuntu4.2) groovy-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/err/openssl.txt,
crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <email address hidden> Wed, 17 Feb 2021 07:32:55 -0500
-
openssl (1.1.1f-1ubuntu4.1) groovy-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <email address hidden> Wed, 02 Dec 2020 09:43:55 -0500
-
openssl (1.1.1f-1ubuntu4) groovy; urgency=medium
* Cherrypick upstream fix for non-interactive detection on Linux. LP:
#1879826
* Cherrypick AES CTR-DRGB: performance improvement LP: #1799928
* Skip services restart & reboot notification if needrestart is in-use
LP: #1895708
-- Dimitri John Ledkov <email address hidden> Tue, 15 Sep 2020 18:04:36 +0100
-
openssl (1.1.1f-1ubuntu3) groovy; urgency=medium
* Import https://github.com/openssl/openssl/pull/12272.patch to enable
CET.
-- Dimitri John Ledkov <email address hidden> Thu, 25 Jun 2020 14:18:43 +0100
-
openssl (1.1.1f-1ubuntu2) focal; urgency=medium
* SECURITY UPDATE: Segmentation fault in SSL_check_chain
- debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in
test/recipes/70-test_sslsigalgs.t.
- debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in
SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c.
- debian/patches/CVE-2020-1967-3.patch: fix test in
test/recipes/70-test_sslsigalgs.t.
- debian/patches/CVE-2020-1967-4.patch: fix test in
test/recipes/70-test_sslsigalgs.t.
- CVE-2020-1967
-- Marc Deslauriers <email address hidden> Mon, 20 Apr 2020 07:53:50 -0400